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1. 


Introduction 
The JSON Object Signing and Encryption (JOSE) technologies -- JSON 
Web Signature [JWS], JSON Web Encryption [JWE], JSON Web Key [JWK], 
and JSON Web Algorithms [JWA] -- can be used collectively to encrypt 


and/or sign content using a variety of algorithms. While the full 
set of permutations is extremely large, and might be daunting to 
some, it is expected that most applications will only use a small set 
of algorithms to meet their needs. 


This document provides a number of examples of signing or encrypting 
content using JOSE. While not exhaustive, it does compile a 
representative sampling of JOSE features. As much as possible, the 
same signature payload or encryption plaintext content is used to 
illustrate differences in various signing and encryption results. 


This document also provides a number of example JWK objects. These 
examples illustrate the distinguishing properties of various key 
types and emphasize important characteristics. Most of the JWK 
examples are then used in the signature or encryption examples that 
follow. 


All of the examples contained herein are available in a machine- 
readable format at «https://github.com/ietf-jose/cookbook». 


1. Conventions Used in This Document 


This document separates data that are expected to be input to an 
implementation of JOSE from data that are expected to be generated by 
an implementation of JOSE. Each example, wherever possible, provides 
enough information both to replicate the results of this document and 
to validate the results by running its inverse operation (e.g., 
Signature results can be validated by performing the JWS verify). 
However, some algorithms inherently use random data; therefore, 
computations employing them cannot be exactly replicated. Such cases 
are explicitly stated in the relevant sections. 


All instances of binary octet strings are represented using base64url 
[RFC4648] encoding. 


Wherever possible and unless otherwise noted, the examples include 
the JWS or JWE Compact Serialization, general JWS or JWE JSON 
Serialization, and flattened JWS or JWE JSON Serialization. 


All of the examples in this document have whitespace added to improve 
formatting and readability. Except for JWE Plaintext or JWS Payload 
content, whitespace is not part of the cryptographic operations nor 
the exchange results. 
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Unless otherwise noted, the JWE Plaintext or JWS Payload content does 
include " " (U+0020 SPACE) characters. Line breaks (U+000A LINE 
FEED) replace some " " (U+0020 SPACE) characters to improve 
readability but are not present in the JWE Plaintext or JWS Payload. 


2. Terminology 


This document inherits terminology regarding JSON Web Signature (JWS) 
technology from [JWS], terminology regarding JSON Web Encryption 
(JWE) technology from [JWE], terminology regarding JSON Web Key (JWK) 
technology from [JWK], and terminology regarding algorithms from 
[JWA]. 


3. JSON Web Key Examples 


The following sections demonstrate how to represent various JWK and 
JWK Set objects. 


3.1. EC Public Key 
This example illustrates an Elliptic Curve (EC) public key. This 
example is the public key corresponding to the private key in 


Figure 2. 


Note that whitespace is added for readability as described in 
Section 1.1. 


" kty" : "EC " 7 

"kid": "bilbo.baggins@hobbiton.example", 

"use": "sig", 

"cry": "p=521, 

"x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sY1_oJXu9 
ASRkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt", 

"y": "AdymlHvOiLxXkEhayXOnNCvDX4h9htZaCJN34kfmC6pV5OhOHiraVy 


SsUdaQkAgDPrwOrJmbnX9cwlGfP-HqHZRI1" 


Figure 1: Elliptic Curve P-521 Public Key 


The field "kty" value of "EC" identifies this as an Elliptic Curve 
key. The field "crv" identifies the curve, which is curve P-521 for 
this example. The values of the fields "x" and "y" are the 
base64url-encoded X and Y coordinates (respectively). 
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The values of the fields "x" and "y" decoded are the octets necessary 
to represent each full coordinate to the order of the curve. Fora 
key over curve P-521, the values of the fields "x" and "y" are 
exactly 66 octets in length when decoded, padded with leading zero 
(0x00) octets to reach the expected length. 


3.2. EC Private Key 


This example illustrates an Elliptic Curve private key. This example 
is the private key corresponding to the public key in Figure 1. 


Note that whitespace is added for readability as described in 
Section 1.1. 


" kty" : "EC " A 

"kid": "bilbo.baggins@hobbiton.example", 

"use": sta”; 

"cry": "p-521", 

"x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3vi13nmGZx6sYl oJXu9 
A5RkTKqjqvjyekWFEF-7ytDyRXYgCF5cjOKt", 

"y": "AdymlHvOiLxXkEhayXOnNCvDX4h9htZaCJN34kfmC6pV5OhOHiraVy 
SsUdaQkAgDPrwOrJmbnX9cwlGfP-HqHZRI", 

"d": "AAhRON2r9cqXX1hg-RoI6R1tX5p2rUAYdmpHZoC1XNMb56KtscrX6zb 


KipOrCW9CGZH3T4ubpnoTKLDYJ fF3 rJt" 


Figure 2: Elliptic Curve P-521 Private Key 


The field "kty" value of "EC" identifies this as an Elliptic Curve 
key. The field "crv" identifies the curve, which is curve P-521 


(also known as SECG curve secp521r1) for this example. The values of 
the fields "x" and "y" are the base64url-encoded X and Y coordinates 
(respectively). The field "d" value is the base64url-encoded private 
key. 


The values of the fields "d", "x", and "y" decoded are the octets 
necessary to represent the private key or each full coordinate 
(respectively) to the order of the curve. For a key over curve 
P-521, the values of the "d", "x", and "y" fields are each exactly 66 
octets in length when decoded, padded with leading zero (0x00) octets 
to reach the expected length. 
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3.3. RSA Public Key 


This example illustrates an RSA public key. This example is the 
public key corresponding to the private key in Figure 4. 


Note that whitespace is added for readability as described in 
Section 1.1. 


" kty" : "RSA" > 

"kid": "bilbo.baggins@hobbiton.example", 

"use": "sig", 

"n": "nAEPtAOCCO9AlkeOHPzHStgAbgs7bTZLwUBZdR8 KuKPEHLdArHVTeT 


-O-XV2jRojdNhxJWTDvNd7nqQOVEiZOHz AJmSCpMaJMRBSFKrKb2wqV 
wGU NsYOYL-QtiWN2lbzcEe6XCOdApr5ydOLrHqkHHig3RBordaZ6Aj- 
oBHqFEHYpPe7Tpe-OfVfHdlE6cS6MIFZcDINNLYD5lIFHpPI9bTwJlsde 
3uhGqCOZCuEHg8lhzwOHrtIQbSOFVbb9k3-tVTUA4Afg 3L vniUFAKRwuC 
LgKnS2BYwdq mzSnbLY7h qixoR7jig3  kRhuaxwUkRzb5iaiOkqgc5g 
HdrNP5zw", 

" e " : " AQAB " 


Figure 3: RSA 2048-Bit Public Key 
The field "kty" value of "RSA" identifies this as an RSA key. The 
fields "n" and "e" values are the modulus and (public) exponent 


(respectively) using the minimum octets necessary. 


For a 2048-bit key, the field "n" value is 256 octets in length when 
decoded. 


3.4. RSA Private Key 


This example illustrates an RSA private key. This example is the 
private key corresponding to the public key in Figure 3. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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" kty" : "RSA" $ 

"kid": "bilbo.baggins@hobbiton.example", 

"use": "Sig", 

"n": "nAEPtAOCCO9AlkeOHPzHStgAbgs7bTZLwUBZdR8 KuKPEHLdArHVTeT 


-O-XV2jRojdNhxJWTDvNd7nqQOVEiZOHz AJmSCpMaJMRBSFKrKb2wqV 
wGU NsYOYL-QtiWN2lbzcEe6XCOdApr5ydQOLrHqkHHig3RBordaZ6Aj- 
oBHqFEHYpPe7Tpe-OfVfHdlE6cS6MIFZcDINNLYD5lIFHpPI9bTwJlsde 
3uhGqCOZCuEHg8lhzwOHrtIQbSOFVbb9k3-tVTUA4Afg 3L vniUFAKwuC 
LgKnS2BYwdq mzSnbLY7h qixoR7jig3  kRhuaxwUkRzb5iaiOkqgc5g 


HdrNP5zw", 
" e " : " AQAB " , 
"d": "DWUC9B-EFRIO8kpGfhOZuyGPvMNKvYWNtB ikiH9k20eT-Olq 1I78e 


iZkpXxXQOUTEs2LsNRS-8uJbvQ-AlirkwMSMkK1J3XTGgdrhCku9gRld 
Y7sNA AKZGh-Q661 A42rINLRCe8W-nZ34ui qOfkLnK9QWDDqpalsA-b 
MwWWSDFu2MUBYwkHTMEzLYGqOe04noqeq1hExBTHBOBdkMXiuFhUq1BU 
61-DqEiWxqg82sXt2h-LMnT3046AOYJoRioz75tSUQfGCshWTBnP5uDj 
d18kKhyvO7l1hfSJdrPdM5Plyl21hsFf4L mHCuoFau7gdsPfHPxxjVOc 
OpBrQzwQ", 

"p": "3Sl1xg DwTXJCcb6095RoXygOCAZ5RnAvZlnolyhHtnUex fp7AZ 9nR 
aO7HX -SFfGQeutao2TDjDAWUAVupk8rw9JROAzZON2fvulAmr WCsmG 
peNqQnev1T7IyEsnh8UMt-n5CafhkikzhEsrmndH6LxOrvRJlsPp6Zv8 
bUqOk", 

"q": "uKE2dh-CTf6ERFA4k4e jy78GfPYUIaUyoSSJuBzp3Cubk3OCqs6grT 
8bR_cu0Dm1MZwWmt dqDy 1 95HrUeq3MP15vMMON81HTeZu21mKvwqw7an 
V5UzhM1iZ7z4yMkuUwFWoBvyY898EXvRD-hdqRxHl1SqAZ2192zB3pVFJO 
S7pFc", 

"dp": "B8PVvXkvJrj2L-GYO7v3y9r6Kw5g9SahXBwsWUzpl9TVlgI-YV85q 
1INIbirxQtD-IsXXR3-TanevuRPRt5OBOdiMGOp8pbt26gljYfKU E9xn 
—RULHz0-ed9E9gXLKD4VGngpz-PfO_q29pk5xWHoJp0090f1HvChixRX 
59ehik", 

"dq": "CLDmDGduhylc907r84rEUVn7pzQ6PF83Y-iBZx5NT-TpnOZKFlpEr 
AMVeKzFE141D1HHqqBLSMOW1SOFbwTxYWZDm6sI 60g5iTbwOGIC3gnJK 
bi 7k vJgGHwHxgPaX2PnvP-zyEkDERuf-ry4c Z11Cq9AqC2yeL6kdK 
T1cYF8", 

"qi": "3PiqvXONOzwMeE-sBvZgi289XP9XCOF3VWqPzMKnIgOp7 Tugo6-N 
ZBKCOsMf3HaEGBjIVUs jcK8-TRXvaKe-72MaQj8VfBdYkssbuONKDDh 
jJ-GtiseaDVWt7dcHO0cfwxgFUHpOh7FoCrjFJ6h6ZEpMF6xmujs4qMpP 
z8aal4" 


Figure 4: RSA 2048-Bit Private Key 
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The field "kty" value of "RSA" identifies this as an RSA key. The 
fields "n" and "e" values are the base64url-encoded modulus and 
(public) exponent (respectively) using the minimum number of octets 
necessary. The field "d" value is the base64url-encoded private 
exponent using the minimum number of octets necessary. The fields 
"p", "q", "dp", "dq", and "qi" are the base64url-encoded additional 
private information using the minimum number of octets necessary. 


For a 2048-bit key, the field "n" is 256 octets in length when 
decoded, and the field "d" is not longer than 256 octets in length 
when decoded. 


3.5. Symmetric Key (MAC Computation) 


This example illustrates a symmetric key used for computing Message 
Authentication Codes (MACs). 


Note that whitespace is added for readability as described in 
Section 1.1. 


" kty" : " oct " P 

"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037", 
"use": "sig"; 

"alg": "HS256", 

"k": "hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg" 


Figure 5: HMAC SHA-256 Symmetric Key 


The field "kty" value of "oct" identifies this as a symmetric key. 
The field "k" value is the symmetric key. 


When used for the signing algorithm "HS256" (HMAC-SHA256), the field 


"k" value is 32 octets (or more) in length when decoded, padded with 
leading zero (0x00) octets to reach the minimum expected length. 
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3.6. Symmetric Key (Encryption) 
This example illustrates a symmetric key used for encryption. 


Note that whitespace is added for readability as described in 
Section 1.1. 


" kty" : " oct " j 

"kid": "1e571774-2e08-40da-8308-e8d468773842d", 
"use": "enc", 

"alg": "A256GCM", 

"k": "AAPapAv4LbFbiVawEjagUBluYqN5rhna-8nuldDvOx8" 


Figure 6: AES 256-Bit Symmetric Encryption Key 


The field "kty" value of "oct" identifies this as a symmetric key. 
The field "k" value is the symmetric key. 


For the content encryption algorithm "A256GCM", the field "k" value 
is exactly 32 octets in length when decoded, padded with leading zero 
(0x00) octets to reach the expected length. 


4. JSON Web Signature Examples 


The following sections demonstrate how to generate various JWS 
objects. 


All of the signature examples use the following payload content (an 
abridged quote from "The Fellowship of the Ring" [LOTR-FELLOWSHIP]), 
serialized as UTF-8. The payload is presented here as a series of 
quoted strings that are concatenated to produce the JWS Payload. The 
sequence "\xe2\x80\x99" is substituted for (U+2019 RIGHT SINGLE 
QUOTATION MARK), and quotation marks (U+0022 QUOTATION MARK) are 
added for readability but are not present in the JWS Payload. 


"Tt\xe2\x80\x99s a dangerous business, Frodo, going out your " 
"door. You step onto the road, and if you don’t keep your feet, " 
"there\xe2\x80\x99s no knowing where you might be swept off " 
"to. " 


Figure 7: Payload Content Plaintext 
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The payload -- with the sequence "\xe2\x80\x99" replaced with (U+2019 
RIGHT SINGLE QUOTATION MARK) and quotations marks (U+0022 QUOTATION 
MARK) are removed -- is encoded as UTF-8 and then as base64url 
[RFC4648]: 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 


b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJlIHN3ZXBOIG9mZiBOby4 


Figure 8: Payload Content, baseó64url-encoded 


4.1. RSA v1.5 Signature 


This example illustrates signing content using the "RS256" (RSASSA- 
PKCS1-v1 5 with SHA-256) algorithm. 


Note that whitespace is added for readability as described in 
Section 1.1. 


4.1.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o RSA private key; this example uses the key from Figure 4. 
o "alg" parameter of "RS256". 
4.1.2. Signing Operation 


The following is generated to complete the signing operation: 


o JWS Protected Header; this example uses the header from Figure 9, 
encoded using base64url [RFC4648] to produce Figure 10. 


"alg": "RS256", 
"kid": "bilbo.baggins@hobbiton.example" 


Figure 9: JWS Protected Header JSON 
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eyJhbGciOiJSUzIlNiIsImtpZCI6ImJpbGJUvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


Figure 10: JWS Protected Header, base64url-encoded 
The JWS Protected Header (Figure 10) and JWS Payload (Figure 8) are 
combined as described in Section 5.1 of [JWS] to produce the JWS 
Signing Input (Figure 11). 


eyJhbGciOiJSUzIlNiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2l1uZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911IG1pZ2hOIGJl1IHN3ZXBOIGO9mZiBOby4 

Figure 11: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 11) produces the JWS Signature (Figure 12). 


MRjdkly7 -oTPTS3AXPA1iOIGKa80AO0ZmTuV5MEaHoxnW2e5CZ5NlKtainoFmK 

ZopdHM102UA4mwzJdOx996ivp83xuglII7PNDi84wnB-BDkoBwA78185hX-EsA4J 

IwmDLJK3lfWRa-XtLORnltuYv746iYTh gHRD68BNt1uSNCrUCTJDt5aAE6x8w 

W1Kt9eRo4QPocSadnHXFxnt81s9UzpERVOePPOdLuW3IS de3xyIrDaLGdjluP 

XUAhb6L2aXiclU12podGUOKLUQSE oI-ZnmKJ3F4uOZDnd6QZWJushZ41Axf f 

cIe8u9ipH840goree7vjbU5y18kDquDg 

Figure 12: JWS Signature, baseó64url-encoded 

4.1.3. Output Results 

The following compose the resulting JWS object: 

o JWS Protected Header (Figure 9) 

o Payload content (Figure 8) 


o Signature (Figure 12) 
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The resulting JWS object using the JWS Compact Serialization: 


eyJhbGciOiJSUzIlNiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJlIHN3ZXBOIGO9mZiBOby4 


MRjdkly7. -OTPTS3AXPA1iQIGKa80AO0ZmTuV5MEaHoxnW2e5CZ5NlKtainoFmK 
ZopdHM102UA4mwzJdOx996ivp83xuglII7PNDi84wnB-BDkoBwA78185hX-EsA4J 
IwmDLJK3lfWRa-XtLORnltuYv746iYTh gHRD68BNt1uSNCrUCTJDt5aAE6x8w 
W1Kt9eRo4QPocSadnHXFxnt81s9UzpERVOePPOdLuW3IS de3xyIrDaLGdjluP 
XUAhb6L2aXiclU12podGUOKLUQSE oI-ZnmKJ3F4uOZDnd6QZWJushZ41Axf f 
cIe8u9ipH840goree7vjbU5y18kDquDg 


Figure 13: JWS Compact Serialization 
The resulting JWS object using the general JWS JSON Serialization: 


{ 

"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 
Z229pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0O0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 


ZiBOby4", 
"signatures": [ 
( 
"protected": "eyJhbGciOiJSUzI1NilsImtpZCI6ImJpbGOvLmJhZ2 
dpbnNAaG9iYm10b24uZXhhbXBsZzSJ9", 
"signature": "MRjdkly7 -oTPTS3AXPAliQIGKa80A0ZmTuV5MEaHo 


xnW2e5CZ5NlKtainoFmKZopdHM1O2UAmwzJdQx996ivp83xuglII 
7PNDi84wnB-BDkoBwA78185hX-EsAJIwWmDLJK31fWRa-XtLORnlt 
uYv746iYTh gHRD68BNt1uSNCrUCTJDt5aAE6x8wWl1Kt9eRo4QPo 
cSadnHXFxnt81s9UzpERVOePPOdLuW31S de3xyIrDaLGdjluPxU 
Ahb6L2aXicl1U12podGUOKLUOQSE oI-ZnmKJ3F4uOZDnd60QZWJush 
ZAlAxf fcle8u9ipH840goree7vjbU5yl18kDquDg" 


Figure 14: General JWS JSON Serialization 


Miller Informational [Page 14] 


RFC 7520 JOSE Cookbook May 2015 


The resulting JWS object using the flattened JWS JSON Serialization: 


{ 


This example illustrates signing content using the "PS384" 


"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 
Z29pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 

"protected": "eyJhbGciOiJSUzI1NilsImtpZCI6ImJpbGJvLmJhZ2dpbn 
NAaG9iYm10b24uZXhhbXBsZSJ9", 

"signature": "MRjJdkly7_—-oTPTS3AXP41iQTGKa80A0ZmTuV5MEaHoxnw2 
e5CZ5N1KtainoFmKZopdaHM102U4mwzJd0x996ivp83xuglII7PNDi84w 
nB-BDkoBwA78185hX-Es4JIwmDLJK31fWRa-XtLORnltuYv746iYTh q 
HRD68BNt1uSNCrUCTJDt5aAE6x8wW1Kt9eRo4QPocSadnHXFxnt8Is9U 
ZpERVOePPOdLuW3IS de3xyIrDaLGdjluPxUAhb6L2aXic1U12podGUO 
KLUQSE oI-ZnmKJ3F4uOZDnd6QZWJushZ41Axf fcle8u9ipH84ogore 
e7vjbU5yl8kDquDg" 


Figure 15: Flattened JWS JSON Serialization 


RSA-PSS Signature 


PSS with SHA-384) algorithm. 


Note that RSASSA-PSS uses random data to generate the signature; 


might not be possible to exactly replicate the results in this 
section. 


Note that whitespace is added for readability as described in 
Section 1.1. 


4.2. 
The following are supplied before beginning the signing operation: 


o 


o 


o 
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4.2.2. Signing Operation 
The following is generated to complete the signing operation: 


o JWS Protected Header; this example uses the header from Figure 16, 
encoded using base64url [RFC4648] to produce Figure 17. 


"alg": "PS384", 
"kid": "bilbo.baggins@hobbiton.example" 


Figure 16: JWS Protected Header JSON 


eyJhbGciOiJQUzMANCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


Figure 17: JWS Protected Header, baseó64url-encoded 


The JWS Protected Header (Figure 17) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 18). 


eyJhbGciOiJQUzMANCIsImtpZCI6ImJpbGJUvLmJhZ2dpbnNAaG9iYml10b24uZ2X 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJl1IHN3ZXBOIG9mZiBOby4 


Figure 18: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 18) produces the JWS Signature (Figure 19). 


cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfTOkkOy42miAh2qyBzklxEsnk2I 
pN6-tPid6VrklHkqsGqDqHCdP608TTB5dDDItllVo6 1O0LPpcbUrhiUSMxbbXU 
vdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf8ZnyPEgVEn442ZdNqiVJRmBqrYRX 
e8P ijO7p8VdzOTTrxUeT31m8d9shnr21fJT81ImUjvAA2Xez2Mlp8cBE5awDzT 
OqlI0n6uiP1aCN 2 jLAeOTlqRHtfa64QQSUmFAAjVKPbByi7xhoOuTOcbH510a 
6GYmJUAfmWjwZ60DA4ifKo8DYM-X72Eaw 


Figure 19: JWS Signature, baseó64url-encoded 
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4.2.3. Output Results 
The following compose the resulting JWS object: 
o JWS Protected Header (Figure 17) 
o Payload content (Figure 8) 
o Signature (Figure 19) 
The resulting JWS object using the JWS Compact Serialization: 


eyJhbGciOiJQUzMANCIsImtpZCI6ImJpbGJUvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJl1IHN3ZXBOIG9mZiBOby4 


cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfTOkkOy42miAh2qyBzklxEsnk2I 
pN6-tPid6VrklHkqsGqDqHCdP608TTB5dDDItllVo6 1O0LPpcbUrhiUSMxbbXU 
vdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf8ZnyPEgVEn442ZdNqiVJRmBqrYRX 
e8P ijO7p8VdzOTTrxUeT31m8d9shnr21fJT81ImUjvAA2Xez2Mlp8cBE5awDzT 
OqlI0n6uiP1aCN 2 jLAeOTlqRHtfa64QQ0SUmFAAjVKPbByi7xhoOuTOcbH510a 
6GYmJUAfmWjwZ60DAifKo8DYM-X72Eaw 


Figure 20: JWS Compact Serialization 
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The resulting JWS object using the general JWS JSON Serialization: 


{ 

"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 
Z29pbmcgb3VOIH1vdXIgZG9vci4gWwWw91IHNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 


ZiBOby4", 
"signatures": [ 
{ 
"protected": "eyJhbGci0iJQUZM4NCIsImtpZCI 6ImJpbGJvLmJhZ2 
dpbnNAaG9iYm10b24uZXhhbxXBsZSJ9", 
"signature": "cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfTOkkOy 


42miAh2qyBzk1xEsnk21pN6-tPid6VrklHkqsGqDqHCdP608TTB5 
dDDItllVo6 1OLPpcbUrhiUSMxbbXUvdvWXzg-UD8biiReQFlfz2 
8zGWVsdiNAUf8ZnyPEgVFn442ZdNqiVJRmBqrYRXe8P ijQ7p8Vd 
ZOTTrxUeT31m8d9shnr21fJT81mUjvAA2Xez2Mlp8cBE5awDzTOq 
IOn6uiP1aCN 2 jLAeQTliqRHtfa64QQSUmFAAjVKPbByi7xhoOuT 
OcbH510a6GYmJUAfmWjwZ6o0D4AifKo8DYM-X72Eaw" 


Figure 21: General JWS JSON Serialization 
The resulting JWS object using the flattened JWS JSON Serialization: 


{ 

"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 
Z229pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm?9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 

"protected": "eyJhbGciOiJQUzMANCIsImtpZCI6ImJpbGJvLmJhZ2dpbn 
NAaG9iYm10b24uZXhhbXBsZSJ9", 

"signature": "cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfTOkkOy42mi 
Ah2qyBzk1xEsnk21pN6-tPid6VrklHkqsGqDqHCdP608TTB5dDDItllV 
o6 lOLPpcbUrhiUSMxbbXUvdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf 
8Z2nyPEgVEFn442ZdNqiVJRmBqrYRXe8P ijO7p8VdzOTTrxUeT31m8d9s 
hnr21fJT81mUjvAA2Xez2M1p8cBE5awDzTOqIlIOn6uiP1aCN 2 jLAeQT 
lqRHtfa64QO0SUmFAAjVKPbByi7xhoOuTOcbH510a6GYmJUAfmWjwZ60D 
4ifKo8DYM-X72Eaw" 


Figure 22: Flattened JWS JSON Serialization 
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4.3. ECDSA Signature 
This example illustrates signing content using the "ES512" (Elliptic 
Curve Digital Signature Algorithm (ECDSA) with curve P-521 and SHA- 
512) algorithm. 


Note that ECDSA uses random data to generate the signature; it might 
not be possible to exactly replicate the results in this section. 


Note that whitespace is added for readability as described in 
Section 1.1. 


4.3.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o EC private key on the curve P-521; this example uses the key from 
Figure 2. 


o "alg" parameter of "ES512". 


4.3.2. Signing Operation 


The following is generated before beginning the signature process: 
o JWS Protected Header; this example uses the header from Figure 23, 


encoded using base64url [RFC4648] to produce Figure 24. 


"alg"; "ES512", 
"kid": "bilbo.baggins@hobbiton.example" 


Figure 23: JWS Protected Header JSON 


eyJhbGciOiJFUzUxMiIsImtpZCI6ImJpbGJUvLmJhZ2dpbnNAaG9iYml0b24uZ2X 
hhbXBsZSJ9 


Figure 24: JWS Protected Header, base64url-encoded 
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The JWS Protected Header (Figure 24) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 25). 


eyJhbGciOiJFUzUxMiIsImtpZCI6ImJpbGJUvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlocm 
UgeW91IG1pZ2h0IGJ1IHN3ZXBOIG9mMZiBOby4 

Figure 25: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 25) produces the JWS Signature (Figure 26). 


AE R YZCChjn4791jSQCrdPZCNYqgHXCTZHO-JZGYN1aAjP2kqaluUIIUnC9qvb 

u9Plon7KRTzoNEuTAVa2cmLleJAQy3mtPBu u sDDyYjnAMDxXPn7XrTOlw-kv 

AD890j18e2puQens IEKBpHABlSsDbEPX6sFY8OcGDqoRuBomu9xQ2 

Figure 26: JWS Signature, base64url-encoded 

4.3.3. Output Results 

The following compose the resulting JWS object: 

o JWS Protected Header (Figure 24) 

o Payload content (Figure 8) 

o Signature (Figure 26) 


The resulting JWS object using the JWS Compact Serialization: 


eyJhbGciOiJFUzUxMiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml10b24uZX 
hhbXBsZSJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2l1uZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJlIHN3ZXBOIGO9mZiBOby4 


AE R YZCChjn4791jSQCrdPZCNYgHXCTZHO-JZGYN1aAjP2kqaluUIIUnC9qvb 
u9Plon7KRTzoNEuTAVa2cmLleJAQy3mtPBu u sDDyYjnAMDxXPn7XrTOlw-kv 
AD890j18e2puQens IEKBpHABlSsDbEPX6sFY8OcGDqoRuBomu9xQ2 


Figure 27: JWS Compact Serialization 
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The resulting JWS object using the general JWS JSON Serialization: 


{ 
"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 


Z29pbmcgb3VOIH1vdXIgZG9vci4gWwWw91IHNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 


ZiBOby4", 
"signatures": [ 
{ 
"protected": "eyJhbGci0iJFUZUxMilsImtpZCI6ImJpbGJvLmJhZ2 
dpbnNAaG9iYm10b24uZXhhbxXBsZSJ9", 
"signature": "AE R_YZCChjn4791jSQCrdPZCNYqHXCTZHO-JZGYN1 


aAjP2kqaluUIIUnC9qvbu9Plon7KRTzoNEuT4Va2cmLleJAQy3mt 
PBu u sDDyYjnAMDxXPn7XrTO0lw-kvAD890318e2puQens IEKBp 
HABlsbEPX6sFY8OcGDqoRuBomu9xQ2" 


Figure 28: General JWS JSON Serialization 


The resulting JWS object using the flattened JWS JSON Serialization: 


{ 
"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 


Z29pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 

"protected": "eyJhbGciOiJFUzUxMilsImtpZCI6ImJpbGJvLmJhZ2dpbn 
NAaG9iYm10b24uZXhhbXBsZSJ9", 

"signature": "AE R YZCChjn4791jSQCrdPZCNYqHXCTZHO-JZGYN1aAjP 
2kqaluUIIUnC9qvbu9Plon7KRTzoNEuTA4Va2cmLleJAQy3mtPBu u sD 
DyYjnAMDxXPn7XrTOlw-kvAD890j18e2puQens IEKBpHABlSDbEPXOSF 
Y80cGDqoRuBomu9xQ2" 


Figure 29: Flattened JWS JSON Serialization 


4.4.  HMAC-SHA2 Integrity Protection 


This example illustrates integrity protecting content using the 
"HS256" (HMAC-SHA-256) algorithm. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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4.4.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o HMAC symmetric key; this example uses the key from Figure 5. 
o "alg" parameter of "HS256". 


4.4.2. Signing Operation 


The following is generated before completing the signing operation: 


o JWS Protected Header; this example uses the header from Figure 30, 
encoded using base64url [RFC4648] to produce Figure 31. 


"alg": "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 


Figure 30: JWS Protected Header JSON 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUIlLTRkOWItNDcCxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


Figure 31: JWS Protected Header, baseó64url-encoded 


The JWS Protected Header (Figure 31) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 32). 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUIlLTRkOWItNDcxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcom 
UgeW91IG1pZ2h0IGJ1IHN3ZXBOIG9IMZiBOby4 


Figure 32: JWS Signing Input 
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Performing the signature operation over the JWS Signing Input 
(Figure 32) produces the JWS Signature (Figure 33). 
SOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7glMd7p0 

Figure 33: JWS Signature, baseó64url-encoded 

4.4.3. Output Results 

The following compose the resulting JWS object: 

o JWS Protected Header (Figure 31) 

o Payload content (Figure 8) 

o Signature (Figure 33) 

The resulting JWS object using the JWS Compact Serialization: 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUILTRkOWItNDcxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJlIHN3ZXBOIG9mZiBOby4 
SOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7glMd7p0 


Figure 34: JWS Compact Serialization 
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The resulting JWS object using the general JWS JSON Serialization: 


{ 
"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 


Z29pbmcgb3VOIH1vdXIgZG9vci4gWwWw91IHNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 


ZiBOby4", 
"signatures": [ 
{ 
"protected": "eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUlLT 
RkOWItNDcxYiliZmQ2LWVl1ZjMxNGJjNzAzNygJ9", 
"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7glMd7p 
0" 


Figure 35: General JWS JSON Serialization 
The resulting JWS object using the flattened JWS JSON Serialization: 


{ 

"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 
Z229pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 

"protected": "eyJhbGciOiJIUzI1NilsImtpZCI61jAxOGMwYWUlLTRkOW 
ItNDcxYiliZmQ2LWVlZjMxNGJ jNzAzNyJ9", 

"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7gl1Md7pO0" 


Figure 36: Flattened JWS JSON Serialization 
4.5. Signature with Detached Content 


This example illustrates a signature with detached content. This 
example is identical to other examples in Section 4, except the 
resulting JWS objects do not include the JWS Payload field. Instead, 
the application is expected to locate it elsewhere. For example, the 
Signature might be in a metadata section, with the payload being the 
content. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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4.5.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o Signing key; this example uses the AES symmetric key from 
Figure 5. 


o Signing algorithm; this example uses "HS256". 
4.5.2. Signing Operation 
The following is generated before completing the signing operation: 
o JWS Protected Header; this example uses the header from Figure 37, 


encoded using base64url [RFC4648] to produce Figure 38. 


"alg": "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 


Figure 37: JWS Protected Header JSON 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUILTRkOWItNDcxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


Figure 38: JWS Protected Header, base64url-encoded 
The JWS Protected Header (Figure 38) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 39). 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUIlLTRkOWItNDcxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcom 
UgeW91I1G1pZ2h0IGJ1IHN3ZXBOIG9IMZiBOby4 


Figure 39: JWS Signing Input 
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Performing the signature operation over the JWS Signing Input 
(Figure 39) produces the JWS Signature (Figure 40). 
sOh6KThzkf£BBBkLspW1h84VsJZFTSPPqMDA7g1Md7p0 

Figure 40: JWS Signature, base64url-encoded 
4.5.3. Output Results 
The following compose the resulting JWS object: 
o JWS Protected Header (Figure 38) 
o Signature (Figure 40) 
The resulting JWS object using the JWS Compact Serialization: 
eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUILTRkOWItNDcCxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 
SOh6KThzkfBBBkLspWlh84VsJZFTsPPqMDA7g1Md7pO 
Figure 41: General JWS JSON Serialization 
The resulting JWS object using the general JWS JSON Serialization: 


{ 


"Signatures": [ 
{ 
"protected": "eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUl1LT 
RkOWItNDcxYiliZmQ2LWVl1ZjMxNGJjNzAzNygJ9", 
"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7glMd7p 
(y 


Figure 42: General JWS JSON Serialization 
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The resulting JWS object using the flattened JWS JSON Serialization: 


{ 


"protected": "eyJhbGciOiJIUzI1NilsImtpZCI61jAxOGMwYWUlLTRkOW 
ItNDcxYiliZmQ2LWV12jMxNGJjNzAzNyJ9", 
"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7gl1Md7pO0" 


Figure 43: Flattened JWS JSON Serialization 
4.6. Protecting Specific Header Fields 
This example illustrates a signature where only certain Header 
Parameters are protected. Since this example contains both 
unprotected and protected Header Parameters, only the general JWS 


JSON Serialization and flattened JWS JSON Serialization are possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 


4.6.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o Signing key; this example uses the AES symmetric key from 
Figure 5. 


o Signing algorithm; this example uses "HS256". 


4.6.2. Signing Operation 


The following are generated before completing the signing operation: 


o JWS Protected Header; this example uses the header from Figure 44, 
encoded using base64url [RFC4648] to produce Figure 45. 


o JWS Unprotected Header; this example uses the header from 
Figure 46. 


"alg": "HS256" 


Figure 44: JWS Protected Header JSON 
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eyJhbGciOiJIUzI1NiJ9 


Figure 45: JWS Protected Header, baseó64url-encoded 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 


Figure 46: JWS Unprotected Header JSON 
The JWS Protected Header (Figure 45) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 47). 
eyJhbGciOiJIUzIl1NiJ9 
SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcom 
UgeW91IG1pZ2h0IGJ1IHN3ZXBOIG9IMZiBOby4 

Figure 47: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 47) produces the JWS Signature (Figure 48). 


bWUSVaxorn7bEF1djytBd0kHv70Ly5pvbomzMWSOr20 
Figure 48: JWS Signature, base64url-encoded 

4.6.3. Output Results 

The following compose the resulting JWS object: 

o JWS Protected Header (Figure 45) 

o JWS Unprotected Header (Figure 46) 

o Payload content (Figure 8) 

o Signature (Figure 48) 


The JWS Compact Serialization is not presented because it does not 
support this use case. 
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The resulting JWS object using the general JWS JSON Serialization: 


{ 
"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 


Z29pbmcgb3VOIH1vdXIgZG9vci4gWwWw91IHNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 
"signatures": [ 
{ 
"protected": "eyJhbGciOiJIUzIl1NiJ9", 
"header": { 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 
), 
"signature": "bpbWUSVaxorn7bEFldjytBdOkHv70Ly5pvbomzMWSOr2 
0" 


Figure 49: General JWS JSON Serialization 


The resulting JWS object using the flattened JWS JSON Serialization: 


{ 
"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 


Z29pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0O0aGUgcm?9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 
"protected": "eyJhbGciOiJIUZzIl1NiJ9", 
"header": { 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 


), 
"signature": "bWUSVaxorn7bEFldjytBdOkHv70Ly5pvbomzMWSOr20" 


Figure 50: Flattened JWS JSON Serialization 
4.7. Protecting Content Only 
This example illustrates a signature where none of the Header 
Parameters are protected. Since this example contains only 
unprotected Header Parameters, only the general JWS JSON 


Serialization and flattened JWS JSON Serialization are possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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4.7.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o Signing key; this example uses the AES symmetric key from 
Figure 5. 


o Signing algorithm; this example uses "HS256". 

4.7.2. Signing Operation 
The following is generated before completing the signing operation: 
o JWS Unprotected Header; this example uses the header from 


Figure 51. 


"alg": "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 
Figure 51: JWS Unprotected Header JSON 
The empty string (as there is no JWS Protected Header) and JWS 


Payload (Figure 8) are combined as described in [JWS] to produce the 
JWS Signing Input (Figure 52). 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vlIGtub3dpbmcgd2hlom 
UgeW911IG1pZ2hOIGJl1IHN3ZXBOIGO9mZiBOby4 

Figure 52: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 52) produces the JWS Signature (Figure 53). 


xuLifqLGiblpv9zBpuZczWhNjlgARaLV3UxvxhJxZuk 


Figure 53: JWS Signature, base64url-encoded 


Miller Informational [Page 30] 


RFC 7520 JOSE Cookbook May 2015 


4.7.3. Output Results 
The following compose the resulting JWS object: 
o JWS Unprotected Header (Figure 51) 
o Payload content (Figure 8) 
o Signature (Figure 53) 


The JWS Compact Serialization is not presented because it does not 
support this use case. 


The resulting JWS object using the general JWS JSON Serialization: 


{ 

"payload": "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGom9kbywg 
Z29pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 

"signatures": [ 

{ 
"header": { 
"alg": "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 
}, 
"signature": "xuLifqLGiblpv9zBpuZczWhNj1gARaLV3UxvxhJxZu 
k" 


Figure 54: General JWS JSON Serialization 
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The resulting JWS object using the flattened JWS JSON Serialization: 


{ 
"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 


Z29pbmcgb3VOIHlvdXIgZG9vci4gWW911HNOZXAgb250byB0aGUgcm?9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 
ZiBOby4", 
"header": { 
"alg" "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 
), 


"signature": "xuLifqLGiblpv9zBpuZczWhNjlgARaLV3UxvxhJxZuk" 
Figure 55: Flattened JWS JSON Serialization 
4.8. Multiple Signatures 
This example illustrates multiple signatures applied to the same 
payload. Since this example contains more than one signature, only 


the JSON General Serialization is possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 


4.8.1. Input Factors 
The following are supplied before beginning the signing operation: 


o Payload content; this example uses the content from Figure 7, 
encoded using base64url [RFC4648] to produce Figure 8. 


o Signing keys; this example uses the following: 

* RSA private key from Figure 4 for the first signature 

* EC private key from Figure 2 for the second signature 

* AES symmetric key from Figure 5 for the third signature 
o Signing algorithms; this example uses the following: 

* "RS256" for the first signature 

* "ES512" for the second signature 


* "HS256" for the third signature 
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4.8.2. First Signing Operation 


The following are generated before completing the first signing 
operation: 


o JWS Protected Header; this example uses the header from Figure 56, 
encoded using base64url [RFC4648] to produce Figure 57. 


o JWS Unprotected Header; this example uses the header from 
Figure 58. 


"alg": "RS256" 


Figure 56: Signature #1 JWS Protected Header JSON 
eyJhbGciOiJSUzI1NiJ9 


Figure 57: Signature #1 JWS Protected Header, base64url-encoded 
"kid": "bilbo.baggins@hobbiton.example" 


Figure 58: Signature 41 JWS Unprotected Header JSON 
The JWS Protected Header (Figure 57) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 59). 
eyJhbGciOiJSUzI1NiJ9 
SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJl1IHN3ZXBOIGO9mZiBOby4 


Figure 59: JWS Signing Input 
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Performing the signature operation over the JWS Signing Input 
(Figure 59) produces the JWS Signature (Figure 60). 


MIsjqtVlOpa71KE-Mss8 Nq2YH4FGhiocsqrgi5NvyG53uoimicltcMdSg-qpt 
rzZc7CG6Svw2Y13TDIqHzTUrL lIR2ZFcryNFiHkSw129EghGpwkpxaTn THJTC 
glNbADko1MZBCdwzJxwqZc-l1RlpO2HibUYyXSwO97BSe0 evZzKdjvvKSgsIqjy 
tKSeAMbhMBdMma622 BG5t4sdbuCHtFjp9iJUmkio47AIwqkZVlalZsv33uPUqB 
BCXbYoQUwt7mxPftHmNl1GoOSMxR 3thmXTCm4US-xiNOyhbm8afKK64jU6 TPt 
OHiJeQUxz9G3Tx-083B745 AfYOnlC9w 


Figure 60: JWS Signature #1, base64url-encoded 
The following is the assembled first signature serialized as JSON: 


{ 


"protected": "eyJhbGciOiJSUzIl1NiJ9", 
"header": { 
"kid": "bilbo.baggins@hobbiton.example" 
), 
"signature": "MIsjqtVlOpa71KE-Mss8 Nq2YH4FGhiocsqrgi5NvyG53u 


oimicltcMdSg-qptrzZc7CG6Svw2Y13TDIqgHzTUrL lR2ZFCcryNFiHkS 
wl129EghGpwkpxaTn THJTCglNbADkolMZBCdwzJxwqZzc-1RlIpO2HibUY 
yXSwO97BSe0 evZKdjvvKSgsIqjytKSeAMbhMBdMma622 BG5t4sdbuC 
HtFjp9iJmkio47AIwqkZVlalZsv33uPUqBBCXbYoQUwt 7mxPftHmN1Go 
OSMxR 3thmXTCmA4US-xiNOyhbm8afKK64jU6 TPtOHiJeQUxz9G3Tx-0 
83B745_AfYOn1C9w" 


Figure 61: Signature #1 JSON 
4.8.3. Second Signing Operation 


The following is generated before completing the second signing 
operation: 


o JWS Unprotected Header; this example uses the header from 


Figure 62. 
{ 
"alg": "ES512", 
"kid": "bilbo.baggins@hobbiton.example" 


Figure 62: Signature #2 JWS Unprotected Header JSON 
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The empty string (as there is no JWS Protected Header) and JWS 
Payload (Figure 8) are combined as described in [JWS] to produce the 
JWS Signing Input (Figure 63). 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vlIGtub3dpbmcgd2hlom 
UgeW911G1pZ2hOIGJlIHN3ZXBOIG9mZiBOby4 

Figure 63: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 63) produces the JWS Signature (Figure 64). 


ARcVLnaJJaUWG8fG-8t5BREVAuTY8n8YHjwDOlmuhcdCoFZFFjflISuO0Cdkn9Yb 
dimi54ho0x924DUz8sK7ZXkhc7AFM8ObLfTvNCrqcI3JKkl12U5IX3utNhODH6v7 
xgyl10ahsn0fyb4zSAkje8bAWz4vIf3j5pCMYxxm4fgV3q7ZYhm5eD 

Figure 64: JWS Signature #2, base64url-encoded 


The following is the assembled second signature serialized as JSON: 


{ 


"header": { 
"alg": "ES512", 
"kid": "bilbo.baggins@hobbiton.example" 
}, 
"signature": "ARCVLnaJJaUWG8fG-8t5BREVAuTY8n8YHjwDOlmuhcdCoF 


ZFFjflSuO0Cdkn9Ybdlmi54ho0x924DUz8sK7ZXkhc7AFM8ODbLfTvNCrq 
CI3JK12U5IXS3utNhODH6v7xgylQahsnOfyb4zSAkje8bAWz4AvIfj5pCM 
Yxxm4fgV3q7ZYhm5eD" 


Figure 65: Signature #2 JSON 
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4.8.4. Third Signing Operation 


The following is generated before completing the third signing 
operation: 


o JWS Protected Header; this example uses the header from Figure 66, 


encoded using base64url [RFC4648] to produce Figure 67. 


Wa Los "HS256", 
"kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037" 
Figure 66: Signature #3 JWS Protected Header JSON 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUILTRkOWICtNDcxYiliZmQ2LW 
V12jMxNGJjNzAzNyJ9 


Figure 67: Signature #3 JWS Protected Header, base64url-encoded 
The JWS Protected Header (Figure 67) and JWS Payload (Figure 8) are 
combined as described in [JWS] to produce the JWS Signing Input 
(Figure 68). 


eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUIlLTRkOWItNDcxYiliZmQ2LW 
V1Z2jMxNGJjNzAzNyJ9 


SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3VOIH 
lvdXIgZG9vci4gWW911HNOZXAgb250byBOaGUgcm9hZCwgYW5kIGlmIHlvdSBk 
b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlom 
UgeW91I1G1pZ2h0IGJ1IHN3ZXBOIG9IMZiBOby4 

Figure 68: JWS Signing Input 


Performing the signature operation over the JWS Signing Input 
(Figure 68) produces the JWS Signature (Figure 69). 


sOh6KThzkf£BBBkLspW1h84VsJZFTSPPqMDA7g1Md7p0 


Figure 69: JWS Signature #3, base64url-encoded 
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The following is the assembled third signature serialized as JSON: 


{ 


"protected": "eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUlLTRkOW 
ItNDcxYiliZmQ2LWVl12jMxNGJjNzAzNyJ9", 
"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7gl1Md7pO0" 


Figure 70: Signature #3 JSON 
4.8.5. Output Results 
The following compose the resulting JWS object: 
o Payload content (Figure 8) 
o Signature 41 JSON (Figure 61) 
o Signature 42 JSON (Figure 65) 
o Signature 43 JSON (Figure 70) 
The JWS Compact Serialization is not presented because it does not 


support this use case; the flattened JWS JSON Serialization is not 
presented because there is more than one signature. 
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The resulting JWS object using the general JWS JSON Serialization: 


{ 

"payload": "SXTigJ1zIGEgZGFuZ2Vyb3VzIGJ1c21uZXNzLCBGcm9kbywg 
Z29pbmcgb3VOIH1vdXIgZG9vci4gWwWw91IHNOZXAgb250byB0aGUgcm9h 
ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlomXi 
gJlzIG5vIGtub3dpbmcgd2hlcmUgeW911G1pZ2hOIGJlIHN3ZXBOIG9m 


ZiBOby4", 

"signatures": [ 
{ 
"protected": "eyJhbGci0iJSUzZI1NiJ9", 
"header": { 
"kid": "bilbo.baggins@hobbiton.example" 
}, 
"signature": "MIsjqtVlOpa71KE-Mss8 Nq2YH4FGhiocsqrgi5Nvy 


G53uoimicltcMdSg-qptrzZc7CG6Svw2Y13TDIgHzTUrL l1R2ZFc 
ryNFiHkSw129EghGpwkpxaTn THJTCglNbADkolMZBCdwzJxwqZc 
-l1RIpO2HibUYyXSwO97BSe0 evZKdjvvKSgsIqjytKSeAMbhMBdM 
ma622 BG5t4sdbuCHtFjp9iJmkio47AIwqkZVlalZsv33uPUqBBC 
XbYoQUwt 7mxP ft HMN1GOOSMxR_3thmxTCm4US-xiNOyhbm8afKK6 
4jU6_TPtQHiJeQUxz9G3Tx-083B745_AfYOn1C9w" 


"header": { 
"alg": "ES512", 
"kid": "bilbo.baggins@hobbiton.example" 
), 
"signature": "ARCVLnaJJaUWG8fG-8t5BREVAuTY8n8YHjwDOlmuhc 


dCoFZFFjflSuO0Cdkn9Ybdlmi54ho0x924DUz8sK7ZXkhc7AFM8O0b 
LfTvNCrqcI3Jkl12U5IX3utNhODH6v7xgylQahsnOfyb4zSAkje8b 
AWz4AvIfj5pCMYxxm4fgV3q7ZYhm5eD" 


"protected": "eyJhbGciOiJIUzI1NilsImtpZCI6IjAxOGMwYWUlLT 
RkOWItNDcxYiliZmQ2LWVl12ZjMxNGJjNzAzNygJ9", 

"signature": "sOh6KThzkfBBBkLspW1h84VsJZFTSPPqMDA7glMd7p 
0" 


Figure 71: General JWS JSON Serialization 
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5. JSON Web Encryption Examples 


The following sections demonstrate how to generate various JWE 
objects. 


All of the encryption examples (unless otherwise noted) use the 
following Plaintext content (an abridged quote from "The Fellowship 
of the Ring" [LOTR-FELLOWSHIP]), serialized as UTF-8. The Plaintext 
is presented here as a series of quoted strings that are concatenated 
to produce the JWE Plaintext. The sequence "\xe2\x80\x93" is 
substituted for (U+2013 EN DASH), and quotation marks (U+0022 
QUOTATION MARK) are added for readability but are not present in the 
JWE Plaintext. 


"You can trust us to stick with you through thick and " 
"thin\xe2\x80\x93to the bitter end. And you can trust us to " 
"keep any secret of yours\xe2\x80\x93closer than you keep it " 
"yourself. But you cannot trust us to let you face trouble " 
"alone, and go off without a word. We are your friends, Frodo." 
Figure 72: Plaintext Content 

5.1. Key Encryption Using RSA v1.5 and AES-HMAC-SHA2 
This example illustrates encrypting content using the "RSA1_5" 
(RSAES-PKCS1-v1 5) key encryption algorithm and the "A128CBC-HS256" 
(AES-128-CBC-HMAC-SHA-256) content encryption algorithm. 
Note that RSAES-PKCS1-v1 5 uses random data to generate the 
ciphertext; it might not be possible to exactly replicate the results 
in this section. 
Note that only the RSA public key is necessary to perform the 
encryption. However, the example includes the RSA private key to 


allow readers to validate the output. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.1.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 


o RSA public key; this example uses the key from Figure 73. 
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o "alg" parameter of "RSA1_5". 


o "enc" parameter of "A128CBC-HS256". 


" kt y " : " RSA" » 

"kid": "frodo.baggins@hobbiton.example", 

"use": tene”, 

"n": "maxhbsmBtdOQ3CNrKvprUE6n9l1YcregDMLYNeTAWCLj8NnPU9XIYegT 


HVHQOjxKDSHP21-F5jS7sppGlwgdAqZzyhnWvXhYNvcM7RfgKxqNx xAHx 
6f3yy7s-M9PSNCWPC21h6UAKR4T00EhV91rypM9Pi41BUOp9t5fSIW5U 
NwaAllhrd-osQGPjleIldeHTwx-ZTHu3C60Pu LJIl6hKn9wbwaUmA4c 
R5Bd2pgbaY7ASgsjCUbtYJaNIHSOoHXprUdJZKUMAzVOWOKPfAGOPIA4oy 
pBadjvMZ4ZAj3BnXaSYsEZhaueTXvZBA4eZOAjIyh2e VOIKVMsnDrJYA 


VotGlvMQ", 
" e " : " AQAB " A 
"d": "Kn9tgoHfiTVi8uPu5b9TnwyHwG5dK6REOuFdlpCGnJN7ZEi963R7wy 


bOIPLAHmpIbNTztfrheoAniRV1NCIqXaW qS461xiDTp4ntEPnqcKsyO 
5jMAji7-CL8vhpYYowNFvlIesgMoVaPRYMYT9TW63hNMOaWs7USZ hLg6 
OelmYOvHTI3FucjSM86NffA4oIENt43r2fspgEPGRrdE6fpLc9Oaq-qeP 
1GFULimrRdndm-P8q8kvN3KHINAtEgrQAgTTgz805-3VDOFgWfgnblPN 
miuPUxO8OpI9KDIfu accó6fgl4nsNaJqXe6RESvhGPH2afjHqSy Fd2v 
pzj85bOQQ", 

"p": "2DwOmZ43FoTnQ8IkUj3BmKRf5Eh2mizZA5xEJ2MinUEG3sdTYKSLtaE 
oekX9vbBZuWxHdVhM6UnKCJ 2iNk8Z20ayLYHLO G21aXf9-unynEpUsH 
7HHTklLpYAzOOx1ZgVljoxAdWNn3hiEFrjZLZGS710H-a3QQOlDDQoJOJ 
2VFmU", 

"gq": "te8LYA4-W7IyaqH1ExujjMqkTAlTeRbvOVLOnfLY2xINnrWdwiQ93 V 
F099aPlESeLja2nw-6iKIe-qT7mtCPozKfVtUYfz5HrJ XY2kfexJINb 
91hZHMv5plskZpelS-GPHCC6gRlKolq-idn qxyusfWv7WAxlSVfOfk8 
d6EtO", 

"dp": "UfYKcL or492vVcOPzwLSplbg4L3-Z5wL48mwiswbpzOyIgd2xHTH 
OmjJpFAIZ8q-zf9RmgJXkDrFs9rkdxPtAsL1WYdeCT5c125Fkdg317JV 
RDolinX7x2Kdh8ERCreW8 4zXItuTl KiXZNU51vMQjWbIw2eTxllpsf 
lo0rYu", 

"dq": "iEgcO-OfpepdH8FWd7mUFyrXdnOkXJBCogChY6YKuIHGc p8Le9Mb 
pFKESZzEaLlNIEhf3B60GBl5Iz ayU12j2100282znoUrpa9fVYNOot87A 
CfzIG7q9Mv7RiPAderZiO3tkVXAdaBau 9vs5rS-7HMtxkVrxSUvJY14 
TkXlHE", 

"qi": "kC-1zZOqoFaZCr510tOVtREKoVqaAYhQOiqIRGL-MzS4sCmRkxm5vZ 
lXYx6RtE1n AagjgajlkjieGl1xTTThHD8Iga6foGBMaAr5uR1hGOpSc7 
Gl7CFl1DZkBJMTON6EshYzZfxW08mlO8M6RzuhO0beL6fG9mkDcIyPrBXx 
2bQ mM" 


Figure 73: RSA 2048-Bit Key, in JWK Format 
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(NOTE: While the key includes the private parameters, only the public 
parameters "e" and "n" are necessary for the encryption operation.) 

5.1.2. Generated Factors 
The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 74. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 75. 


3gqyTVhIWtb5juqZzUCpfRqpvauwB956MEJL2Rt-8qXKSo 
Figure 74: Content Encryption Key, base64url-encoded 
bbd5sTkYwhAIqfHsx8DayA 
Figure 75: Initialization Vector, baseó64url-encoded 
5.1.3.  Encrypting the Key 


Performing the key encryption operation over the CEK (Figure 74) with 
the RSA key (Figure 73) results in the following Encrypted Key: 


laLxI0j-nLH- BgLOXMozKxmy9gffy2gTdvqzfTihJBuuzxg0OV7yklWClnQePF 
vG2K-pvS1Wc9BRIazDrn50RcRai__ 3 TDON3 95H3c62t louJJ4XaRvYHF jZTZ2G 
Xfz8YAImccO91TfkOWXC2F5Xbb71ClOl1DDH151tlpH77f2ff7xiSxh9oSewYrcG 
TSLUeeCt36rlKt305j7EyBOXoZ1N7IxbyhMAfgle7Mvl1rOTOI5I8NOqeXXW8Vl 
zNmoxaGMny3YnGir5Wf6Qt2nBq4qDaPdnaAuuGUGEecellOlwxlBpyIfgvfjOh 
MBs9M8XL223Fg47xlGsMXdfuY-4jaqVw 


Figure 76: Encrypted Key, base64url-encoded 
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5.1.4. Encrypting the Content 


The following is generated before encrypting the Plaintext: 


o JWE Protected Header; this example uses the header from Figure 77, 
encoded using base64url [RFC4648] to produce Figure 78. 


alg: "RSATCSM, 
"kid": "frodo.baggins@hobbiton.example", 
"enc": "A128CBC-HS256" 


Figure 77: JWE Protected Header JSON 


eyJhbGciOiJSUOExXzUiLCJraWQiOiJmcm9kbyb5iYWdnaW5zQGhvYmJpdG9uLm 
VAYW1wbGUiLCJlbmMiOiJBMTIA4Q0JDLURhTMjU2InO0 


Figure 78: JWE Protected Header, baseó64url-encoded 


Performing the content encryption operation on the Plaintext 
(Figure 72) using the following: 


o CEK (Figure 74); 
o Initialization Vector (Figure 75); and 
o JWE Protected Header (Figure 77) as authenticated data 
produces the following: 
o Ciphertext from Figure 79. 
o Authentication Tag from Figure 80. 
Ofys TY na7f8dàwSfXLiYdHaA2DxUjD67ieF7fcVbIR62JhJvGZ4 FNVSiGc r 
aa0HnLQ6s1P2sv3Xzllpll o5wR RsSzrS8Z-wnlI3JvoOmkpEEnlDmZvDu k80 
WzJv7eZzVEqiWKdyVzFhPpiyQU28GLOpRc2VbVbKAdOKPGdNTjPPEmRqcaGeTWZV 
yeSUvf5k59yJZxRuSvWFf6KrNtmRdZ8RAmDOjHSrM s8uwIFcqt4r5GX8TKaIl0 
zT5CbL5Olw3sRc7u hgOyKVOiRytEAEs3vZkcfLkP6nbXdC PkMdNS-ohP78T2 
O6 7uInMGhFeX4ctHG7VelHGiT93JfWDEQi5 V9UN1rhXNrYu-OfVMkZAKX3VW 
i7lzA6BP430m 

Figure 79: Ciphertext, base64url-encoded 


kvKuFBXHe5mQr4lqgobAUg 


Figure 80: Authentication Tag, base64url-encoded 
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5.1.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 78) 
o Encrypted Key (Figure 76) 
o Initialization Vector (Figure 75) 
o Ciphertext (Figure 79) 
o Authentication Tag (Figure 80) 
The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJSUOExXzUiLCJraWQiOiJmcm9kbyb5iYWdnaW5zQGhvYmJpdG9uLm 
VAYW1wbGUiLCJlbmMiOiJBMTIA4Q0JDLURhTMjU2InO0 


laLxI0j-nLH- BgLOXMozKxmy9gffy2gTdvqzfTihJBuuzxg0OV7yklWClnQePF 
vG2K-pvS1Wc9BRIazDrn50RcRai__3TDON395H3c62tlouJJ4XaRvYHF3ZTZ2G 
Xfz8YAImcc91TfKOWXC2F5Xbb71C101DDH151t1pH77f2ff7xiSxh%oSewYrcG 
TSLUeeCt36rlKt305j7EyBOXoZl1N7IxbyhMAfgle7Mvl1rOTOI5I8NOqeXXW8Vl 
zNmoxaGMny3YnGir5Wf6Qt2nBq4qDaPdnaAuuGUGEecellOlwxlBpyIfgvfjOh 
MBs9M8XL223Fg47xlGsMXdfuY-4jaqVw 


bbd5sTkYwhAIqfHsx8DayA 


Ofys TY na7f8dwSfXLiYdHaA2DxUjD67ieF7fcVbIR62JhJvGZ4 FNVSiGc r 
aa0HnLQ6s1P2sv3Xzllpll o5wR RsSzrS8Z-wnlI3JvoOmkpEEnlDmZvDu k80 
WzJv7eZzVEqiWKdyVzFhPpiyQU28GLOpRc2VbVbKAdOKPGdNTjPPEmRqcaGeTWZV 
yeSUvf5k59yJZxRuSvWFf6KrNtmRdZ8RAmDOjHSrM s8uwIFcqt4r5GX8TKaIl0 
zT5CbL5Olw3sRc7u hgOyKVOiRytEAEs3vZkcfLkP6nbXdC PkMdNS-ohP78T2 
O6 7uInMGhFeX4ctHG7VelHGiT93JfWDEQi5 V9UNIrhXNrYu-OfVMkZAKX3VW 
i7l1zA6BP430m 


kvKuFBXHe5mQr4lqgobAUg 


Figure 81: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 

"encrypted key": "laLxI0j-nLH- BgLOXMozKxmy9gffy2gTdvqzf 
TihJBuuzxg0OV7yklWClnOePFvG2K-pvSl1Wc9BRIazDrn50RcRai 
.3TDON395H3c62tIouJJAXaRvYHFjZTZ2GXfz8YAImccO9l1TfkOWX 
C2F5Xbb71ClOl1DDH151tlpH77f2ff7xiSxh9oSewYrcGTSLUeeCt 
36r1Kt3058j7EyBOXoZl1N7IxbyhMAfgIle7Mvl1rOTOI5I8NOqeXXW8 
VlzNmoxaGMny3YnGir5Wf60t2nBq4qDaPdnaAuuGUGEecellOlwx 
1BpylfgvfjOhMBs9M8XL223Fg47xlGsMXdfuY-4jaqVw" 

} 

l, 

"protected": "eyJhbGciOiJSUOExXzUiLCJraWQiOiJmcm9kby5iYWdnaW 
5zQGhvYmJpdG9uLmVA4YWl1wbGUiLCJlbmMiOiJBMTIA4QOJDLUhTMjU2In 
0" " 

"iv": "bbd5sTkYwhAIqfHsx8DayA", 

"ciphertext": "Ofys TY na7f8dwSfXLiYdHaA2DxUjD67ieF7fcVbIR62 
JhJvGZ4 FNVSiGc raa0HnLQ6s1P2sv3Xzllpll o5wR RsSzrS8Z-wn 
I3JvoOmkpEEnlDmZvDu k80WzJv7eZVEqiWKdyVzFhPpiyQU28GLOpRc 
2VbVbKAdOKPdNTjPPEmRqcaGeTWZVyeSUvf5k59yJZxRuSvWFf6KrNtm 
RdZ8RAmDOjHSrM s8uwIFcqt4r5GX8TKalO0zT5CbL5O0lw3sRc7u hgOy 
KVOiRytEAEs3vZkcfLkP6nbXdC PkMdNS-ohP78T206 7uInMGhFeX4c 
tHG7VelHGiT93JfWDEQi5 V9UNlrhXNrYu-O0fVMkZAKX3VWi"7lzA6BP4 
30m", 

"Lag": "kvKuFBXHe5mQr4lqgobAUg" 


Figure 82: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJSUOExXzUiLCJraWQiOiJmcm9kby5iYWdnaW 
5zQGhvYmJpdG9uLmVA4YWl1wbGUiLCJlbmMiOiJBMTIA4QOJDLUhTMjU2In 
0", 

"encrypted key": "laLxI0j-nLH- BgLOXMozKxmy9gffy2gTdvqzfTihJ 
BuuzxgOV7yklWClnQePFvG2K-pvSlWc9BRIazDrn50RcRai  3TDON39 
5H3c62tlouJJ4XaRvYHF3ZTZ2GXfz8YAImcc91TfKOWXC2F5Xbb71C10 
1DDH151t1pH77f2ff7xiSxh9%0SewYrcGTSLUeect36r1Kt30S37EyBOX 
oZ1N7IxbyhMAfgle7Mvl1rO0TOI5I8NOgeXXW8V1zNmoxaGMny3YnGir5Ww 
f6Qt2nBq4qDaPdnaAuuGUGEecellOlwxlBpyIfgvfjOhMBs9M8XL223F 
g47xlGsMXdfuY-4jaqVw", 

"iv": "bbd5sTkYwhAIqfHsx8DayA", 

"ciphertext": "Ofys TY na7f8dwSfXLiYdHaA2DxUjD67ieF7fcVbIR62 
JhJvGZ4 FNVSiGc raa0HnLQ6s1P2sv3Xzllpll o5wR RsSzrS8Z-wn 
I3JvoOmkpEEnlDmZvDu k80WzJv7eZVEqiWKdyVzFhPpiyQU28GLOpRc 
2VbVbKAdOKPdNTjPPEmRqcaGeTWZVyeSUvf5k59yJZxRuSvWFf6KrNtm 
RdZ8RAmDOjHSrM s8uwIFcqt4r5GX8TKalOzT5CbL5O0lw3sRc7u hgOy 
KVOiRytEAEs3vZkcfLkP6nbXdC PkMdNS-ohP78T206 7uInMGhFeX4c 
tHG7VelHGiT93JfWDEQi5 V9UNlrhXNrYu-O0fVMkZAKX3VWi"7lzAO6BP4 
30m", 

"tag": "kvKuFBXHe5mQOr4lqgobAUg" 


Figure 83: Flattened JWE JSON Serialization 
5.2. Key Encryption Using RSA-OAEP with AES-GCM 


This example illustrates encrypting content using the "RSA-OAEP" 
(RSAES-OAEP) key encryption algorithm and the "A256GCM" (AES-GCM) 
content encryption algorithm. 


Note that RSAES-OAEP uses random data to generate the ciphertext; it 
might not be possible to exactly replicate the results in this 
section. 


Note that only the RSA public key is necessary to perform the 
encryption. However, the example includes the RSA private key to 


allow readers to validate the output. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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5.2.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the Plaintext from Figure 72. 
o RSA public key; this example uses the key from Figure 84. 
o "alg" parameter of "RSA-OAEP". 


o "enc" parameter of "A256GCM". 


" kty " : " RSA" ; 

"kid": "samwise.gamgee@hobbiton.example", 

"use": "enc", 

"n": "wbdxI55VaanZXPY29Lg5hdmv2XhvgAhoxUkanfzf2-5zVUxa6prHRr 


I4pPlAhoqJURlZfYtWWd5mmHRG2pAHIlh0ySJ9wiO0BioZBll1XP2e-C-Fy 
XJGcTyOHdKOWlrfhTm42EW7VvO4r4gfao6uxjLGwfpGrZLarohiWCPnk 
Nrg71S2CuNZSQBIPGjXfkmIy2tl VWgGnL22GplyXj5YlBLdxXp3XeSt 
sqo571lutNfoUTU8E4qdzJ3U1DItoVkPGsMwlmmnJiwA7sXRItBCivR4M 
SqnZtdw-7v4WuR477 9ubDuJ5nalMv2S66—-RPcnFAZWSKxtBDnFJJDGIU 
e7TzizjginmsOXq yPub UOlWn0ec85FCftlhACpWG8schrOBeNqgHBOD 
FSkYpUC2LC5JAZ2TaPF2dA67dglTTsC FupfO2kNGCElLgprxKHcVWYOQb 
86B-HozjHZcqtauBzFNV5tbTuB-TpkcvJfNcFL1H3b8mb-H ox35FjqB 
SAjLKyoeqfKTpVjvXhd09knwgJf6VKq6UCA418 TOLjMVfFTWXUxlnfhO 
OnzW6HSSzDl1c9WrCuVzsUMv54szidQO9wflcYWf3g5qFDxDOKis99gcDa 
iCAwM3yEBIzuNeeCa5dartHDb1xEB HcHSeYbghbMjGfasvKnOaZRsnT 
yCOxhWB1solZE", 


wen : "AOAB " A 
"alg": "RSA-OAEP", 
"d": "n7fzJc3 WG59VEOBTkayzuSMM7800JQuZjN KbH810Z2G25ZoAT7TABx 


ccOxOn5oZE5uSCIwg910CtOJvxPcpmqzaJZginirjcWZ-oBtVk7gCAWq 
-B3ghfF3izlbkosrzjHajIcY33HBhsy4 WerrXg4MDNEA4HYOojy68TCXT 
2LYORXxUOCf5TtJXvM8olexlSGtVnQOnDRutxEUCwiewfmmrfveEogLx9E 
A-KMgAjTilSXxqIXOhWUOX1G7v mV Hr2YuImYcNcHkRvp9E700k0876 
DhkO8v4UOZLwA101UX98mkoqwc58A Y21BYbVx1 s5lpPsEqbbH-nqI]j 
hlfLOgdNfihLxnclWtW7pCztLnImZAyeCWAG7ZIfv-Rn9fLIv9jZ6r"7r 
-MSH9sqbuziHN2grGjD jfRluMHa0184fFKl6bcqN1JWxPVhzNZoO1lyD 
F-1LiOnqUYSepPf6X3a2SOdkqBRiquE6EvLuSYIDpJq3jDISsgoL8MolL 
oomgiJxUwL GWEOGu28gplyzm-9Q0UOnyhEfluhSR8aJAQWAiFImWH5W 
—IQT9I7-yrindr 2fWQ ilUgMsGzA7aOGzZfPljRy6z-tY KuBG00-28 
S aWvjyUC-Alp8AUyKjBZ-7CWH32fGWK48jlt-zomrwjL mnhsPbGsOc 
9WsWgRzI-K8gE", 

"p": "7 2v3OQZzlPFCHyYfLABOS3XP85Es4hCdwCkbDeltaUXgVy919etKgh 
vMAhRkOvbbOlkYVuLEmxIkCDtpi-zLCYAdXKrAK3PtSbtzld XZ9nlsY 
a QZWpXB IrtFjVfdKUdMz94pHUhFGFj7nr6NNxfpiHSHWFElzD AC3m 
Y46J961Y2LRnreVwAGNw53p07Db8yD 92pDa97vqcZOdgtybH9q6uma- 
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RFNhOl1AoiJhYZj69hjmMRXx-x56HO9cnXNbmzNSCFCKnOmn4GOQLmRj9s 
fbZRqL94bbtE4 eOZrpo8RNo8vxRLqONwIy85fc6oBRgBJomt8QdOvIgP 
gWCv5HoQ", 

"q": "ZqOHk1P6WN rHuM7ZF1cXHOx6RuOHq67WuHiSknqQeefGBA9PWs6Zy 
KQCO-O6mKXtcgE8 O hA2kMRCKOCvHillhqMCNSXlflM7WPRPZu2qCDc 
qssd uMbP-DqYthH EzwL9KnYoH7JOFxxmcv5An80XUtTwk4knKjkIYG 
RuUwfQTusOwl1NfjFAyxOOiAQ37ussICE6C6Z2SsM3n41UlbJ7TCqewzVJ 
aPJN5cCxjySPZPD3VpOla9YgAD6a3IIaKJdIxJSl1ImnfPevSJQBE79-EX 
e2kSwVgOzvt-gsmM290Q08veHy4uAqca5dZzzMs7hkkHtw1z0jHV90epQJ 
JlXXnH8Q", 

"dp": "190DkBhlAXelMIxQFm2zZTqUhAzCIr4xNIGEPNODt1jK83 FJA-xn 
x5kA7-lerdHdms Ef67HsONNv5A60JaR7w8LHnDiBGnjdaUmmuO8XAxQ 
J ia5mxjxNjS6E2yD44USo2JmHvzeeNczq25elqbTPLhUpGolIZuG72F 
ZQ5gTjXoTXC2-xtCDEUZfaUNh4IeAipfLugbpeOJAFlFfrTDAMUFpC3i 
XjxgzbEanflwPvj6V9iDSgjj8SozSMOdLtxvuOLIelQAeEgT yXcrKGm 
pKdSO08kLBx8VUjkbv 3Pn20Gyu2YEuwpFlM HINikuxJNKFGmnAq9Lc 
nwwT0jvoQ", 

"dq": "S6p59KrlmzGzaQYOM3o0XfHCGvfqHLYjCO557HYOf72O09kLMCfd 1 
VBEqeD-1jjwELKDjck8kOBl5UvohKl10DfSPlDleAy-cnmL29DqwmhgwM 
lipOCCNmkmsmDSlqkUXDi6sAaZuntyukyflI-qSQ3C BafPyFaKrtlfg 
dyEwYa08pESKwwWisy7KnmoUvaJ3SaHmohFS78TJ25cfclO0wZ9hQNOrI 
ChZlkiOdFCtxDqdmCqNacnhgE3bZ0QjGp3n830DSz9zwJcSUvODIXBPc2 
AycH6Ci5yjbxt4Ppox 5pjm6xnQkiPgjO01GpsUssMmBN7iHVsrE7N2iz 
nBNCeOUIQ", 

"qi": "FZhClBMywVV jnuUud-05qd5CYUOdK79akAgy90X6RX6IG3IIIPCkCC 
iRrokxglZn-omAY5CnCe4KdrnjFOT5YUZE7G Pg44XgCXaarLOf4hl80 
OPEf6-jJ5Iy6wPRx7G2e8qLxnh9cOdf-kRqgOS3FA48Ucvw3ma5V6KGMw 
OqWFeV31XtZ815cVI-I3NzBS7qltpUVgz2Ju021eyc71lqgzR98qKONl 
27DuEESOaK0WE97jnsyO27Yp88Wa2RiBrEocM89QZIl1seJiGDizHRUPA 
UZxw9zsXwwA6wyOP6f9grnYp7t8LkyDDk8eol4KX6SNMNVCyVS9IWjlq 
8EzqZEKIA" 


Figure 84: RSA 4096-Bit Key 


(NOTE: While the key includes the private parameters, only the public 
parameters "e" and "n" are necessary for the encryption operation.) 


5.2.2. Generated Factors 
The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 85. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 86. 
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mYMfsggkTAmOTbvtlFh2hyoXnbEzJQjMxmgLN3d8xXA 


Figure 85: Content Encryption Key, base64url-encoded 


-nBoKLHOYKkLZPSIS9 


Figure 86: Initialization Vector, base64url-encoded 
5.2.3.  Encrypting the Key 


Performing the key encryption operation over the CEK (Figure 85) with 
the RSA key (Figure 84) produces the following Encrypted Key: 


rT99rwrBTbTI7IJM8fU3El1i7226HEB7IchCxNuh71Ciud48LxeolRdtFF4nzQi 
beYOl5S PJsAXZwSXtDePz9hk-BbtsTBqC2UsPOdwjC9NhNupNNu9uHIVftDyu 
cvI6hvALeZ60GnhNV4vlzx2k701D89mAzfw- kT3tkuorpDU-CpBENfIHX10Q58 
-Aad3FzMuo3Fn9buEP2yXakLXYal5BUXOsupMAA1GDA H4Bd7V3u9h8Gkg8Bpx 
KdUV9ScfJQTcYm6eJEBz3aSwIaKA4T3-dwWpuBOhROOXBosJzSlasnuHtVMt2pK 
IIfux5BC6huIvmY7kzV7W7alUrpYm 3H4zYvyMeq5pGqFmW2k8zpO878TRl1Zx7 
pZfPYDSXZySOCfKKkMozT qiCwZTSz4duYnt8hSA4Z29sGthXn9uDqd6wycMagnQ 
fOTs lycTWmY-aqWVDKhjYNRfOGNiwRtb5BE-tOdFwCASQj3uuAgPGrO2AWBe3 
8UjObOlvXnlSpyvYZ3WFc7WOJYaTa7A8DRn6MC6T-xDmMuxC0G7S2rscw51QQU 
O06MvZTIFOtOUvfuKBa03cxA nIBIhLMjY2kOTxOMmpDPTr6Cbo8aKaOnx6ASE5 
Jx9paBpnNmOOKH35j OlrQhDWUN6A2Gg8iFayJ69xDEdHAVCGRZzN3wOEI20zDR 
S 


Figure 87: Encrypted Key, baseó64url-encoded 
5.2.4.  Encrypting the Content 
The following is generated before encrypting the Plaintext: 


o JWE Protected Header; this example uses the header from Figure 88, 
encoded using base64url [RFC4648] to produce Figure 89. 


"alg": "RSA-OAEP", 
"kid": "samwise.gamgee@hobbiton.example", 
"enc": "A256GCM" 


Figure 88: JWE Protected Header JSON 


eyJhbGciOiJSUOEtTOFFUCIsImtpZCI6InNhbXdpc2UuZ2FtZ2VlQGhvYmJpdG 
9uLmV4YWlwbGUiLCJlbmMiOiJBMjU2RONNInO 


Figure 89: JWE Protected Header, baseó64url-encoded 
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Performing the content encryption operation over the Plaintext 
(Figure 72) with the following: 

o CEK (Figure 85); 
o Initialization Vector (Figure 86); and 
o JWE Protected Header (Figure 89) as authenticated data 
produces the following: 
o Ciphertext from Figure 90. 
o Authentication Tag from Figure 91. 
o4k2cnGN8rSSw3IDolYuySkqeS t2m1GXklSgqBdpACm6UJuJowOHC5ytjqYgR 
L-I-soPlwqMUfA4UgRWWeaOGNw6vGW-xyMOl1lTYxrXfVzIIaRdhYtEMRBvBWbEw 
P7ualDRfvaOjgZv6lfa3brcAM64d8p5lhhNcizPersuhwb5f-pGYzseva-TUaL8 
iWnctc-sSwy7SQmRkfhDjwbzOfz6kFovEgj64X115s7E6GLp5fnbYGLalQUiML 
7Cc2Gxgvl17zqWoOYIECc7aCfl1LG1-8BboVWFdZKLK9vNoycrYHumwzKluLWEDbSV 
maPpOslY2n525DxDfWaVFUfKOxMF56vn4B90MpWAbnypNimbM8zVOw 

Figure 90: Ciphertext, base64url-encoded 
UCGiqJxhBI3IFVdPalHHvA 

Figure 91: Authentication Tag, base64url-encoded 

5.2.5. Output Results 
The following compose the resulting JWE object: 

o JWE Protected Header (Figure 89) 
o Encrypted Key (Figure 87) 
o Initialization Vector (Figure 86) 


o Ciphertext (Figure 90) 


o Authentication Tag (Figure 91) 
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The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJSUOEtTOFFUCIsImtpZCI6InNhbXdpc2UuZ2FtZ2VlQGhvYmJpdG 
9uLmV4YWlwbGUiLCJlbmMiOiJBMjU2RONNInO 


rT99rwrBTbTI7IJM8fU3El1i7226HEB7IchCxNuh71Ciud48LxeolRdtFF4nzQi 
beYOl5S PJsAXZwSXtDePz9hk-BbtsTBqC2UsPOdwjC9NhNupNNu9uHIVftDyu 
cvI6hvALeZ60GnhNV4vlzx2k701D89mAzfw- kT3tkuorpDU-CpBENfIHX10Q58 
-Aad3FzMuo3Fn9buEP2yXakLXYal5BUXOsupMAA1GDA H4Bd7V3u9h8Gkg8Bpx 
KdUV9ScfJQTcYm6eJEBz3aSwIaKA4AT3-dwWpuBOhROOXBosJzSlasnuHtVMt2pK 
IIfux5BC6huIvmY7kzV7W7alUrpYm 3H4zYvyMeq5pGqFmW2k8zpO878TRlZx7 
pZfPYDSXZySOCfKKkMozT qiCwZTSz4duYnt8hSA4Z29sGthXn9uDqd6wycMagnQ 
fOTs lycTWmY-aqWVDKhjYNRfOGNiwRtb5BE-tOdFwCASQj3uuAgPGrO2AWBe3 
8UjObOlvXnlSpyvYZ3WFc7WOJYaTa7A8DRn6MC6T-xDmMuxC0G7S2rscw51QQU 
06MvZTIFOtOUvfuKBa03cxA nIBIhLMjY2kOTxOMmpDPTr6Cbo8aKaOnx6ASE5 
Jx9paBpnNmOOKH35j OlrQhDWUN6A2Gg8iFayJ69xDEdHAVCGRZzN3wOEI20zDR 
S 


-nBoKLHOYKkLZPSIS9 


o4k2cnGN8rSSw3IDolYuySkqeS t2m1GXklSgqBdpACm6UJuJowOHC5yt jqYgR 
L-I-soPlwqMUfA4UgRWWeaOGNw6vGW-xyMOl1lTYxrXfVzIIaRdhYtEMRBvBWbEw 
P7ualDRfvaOjgZv6lfa3brcAM64d8p5lhhNcizPersuhwb5f-pGYzseva-TUaL8 
iWnctc-sSwy7SQmRkfhDjwbzOfz6kFovEgj64X115s7E6GLp5fnbYGLalQUiML 
7Cc2G6xgvI7zqWoOYIEc7aCfl1LG1-8BboVWFdZKLK9vNoycrYHumwzKluLWEDbSV 
maPpOslY2n525DxDfWaVFUfKOxMF56vn4B90MpWAbnypNimbM8zVOw 


UCGiquUxhBI3IFVdPalHHvA 


Figure 92: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 

"encrypted key": "rT99rwrBTbTI7IJM8fU3E1i7226HEB7IchCxNu 
h71Ciud48LxeolRdtFFA4nzQibeYOl1558 PJsAXZwSXtDePz9hk-Bb 
tsTBqCA2UsPOdwjC9NhNupNNu9uHIVftDyucvIóhvALeZ60OGnhNV4 
vlzx2k7O1D89mAzfw- kT3tkuorpDU-CpBENfIHX10Q58-Aad3FzM 
u0o3Fn9buEP2yXakLXYal5BUXOsupM4A1GD4_H4Bd7V3u9h8Gkg8B 
pxKdUV9ScfJOTcYm6eJEBz3aSwIaKA4T3-dwWpuBOhROOXBosJzS1 
asnuHtVMt2pKIIfux5BC6huIvmY7kzV7W7alUrpYm 3H4zYvyMeq 
5pGqFmW2k8zpO878TRlZx7pZfPYDSXZySOCfKKkMozT qiCwZTSz 
4duYnt8hS4Z29sGthXn9uDqd6wycMagnQOfOTs lycTWmY-aqWVDKh 
jYNR£f03NiwRtb5BE-tOdFwCASQj3uuAgPGrO2AWBe38UjQbOlvXn 
1SpyvYZ3WFc7WOJYaTa7A8DRn6MC6T-xDmMuxC0OG7S2rscw51QQU 
O6MvZTlFOtOUvfuKBa03cxA nIBIhLMjY2kOTxOMmpDPTr6Cbo8a 
KaOnx6ASE5Jx9paBpnNmOOKH35j OlrQhDWUN6A2Gg8iFayJ69xD 
EGHAVCGRZN3woEI20zDRs" 


} 

l, 

"protected": "eyJhbGciO0iJSUO0EtTOFFUCIsImtpZCI6InNhbXdpc2Uuz2 
FtZ2VlQGhvYmJpdG9uLmVA4YWl1wbGUiLCJlbmMiOiJBMjU2RONNInO", 

"iv": "-nBoKLHOYkLZPSIO", 

"ciphertext": "o4k2cnGN8rSSw3IDolYuySkqeS t2ml1GXklSgqBdpACmó 
UJuJowOHC5ytjqYgRL-I-soPlwqMUf4AUgRWWeaOGNw6vGW-xyMOl1l1TYx 
rXfVzIIaRdhYtEMRBvBWbEwP 7ualDRfvaOjgZv6lIfa3brcAM64d8p5lh 
hNcizPersuhwb5f-pGYzseva-TUaL8iWnctc-sSwy7SQmRkfhDjwbzOfz 
6kFovEgj64X115s7E6GLp5fnbYGLalQUiML7Cc2GxgvIl7zqWoOYIEc7a 
CflLG1-8BboVWFdZKLK9vNoycrYHumwzKluLWEbSVmaPpOslY2n525Dx 
DfWaVFUfKOxMF56vn4B90MpWAbnypNimbM8zVOw", 

"Lag": "UCGigqJxhBI3IFVdPalHHvA" 


Figure 93: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 


"protected": "eyJhbGciOiJSUOEtTOFFUCIsImtpZCI6InNhbXdpc2UuZ2 


FtZ2VlOGhvYmJpdG9uLmVAYWl1wbGUiLCJlbmMiOiJBMjU2RONNInO", 


"encrypted key": "rT99rwrBTbTI7IJM8fU3E1i7226HEB7ICcChCxNuh71C 


" qa" : 


iud48LxeolRdtFFA4nzQibeYOl15S PJSAXZwSXtDePz9hk-BbtsTBqC2U 
sPOdwjC9NhNupNNu9uHIVftDyucvI6hvALeZ60OGnhNV4Avlzx2k701D89 
mAzfw- kT3tkuorpDU-CpBENfIHX10Q58-Aad3FzMuo3Fn9buEP2yXakL 
XYal5BUXOsupMAA1GDA HA4Bd7V3u9h8Gkg8BpxKdUV9ScfJQTcYm6eJE 
Bz3aSwIaKA4T3-dwWpuBOhROQXBosJzSlasnuHtVMt2pKIIfuxb5BCó6huI 
vmY7kzV7W7alUrpYm 3H4zYvyMeq5pGqFmW2k8zpO878TRlZx"7pZfPYD 
SXZySOCfKKkMozT qiCwZTSz4duYnt8hS4Z29sGthXn9uDqd6wycMagnQ 
fOTs lycTWmY-aqWVDKhjYNRfOGNiwRtb5BE-tOdFwCASQj3uuAgPGrO 
2AWBe38UjOb0lvXnlSpyvYZ3WFc7WOJYaTa7A8DRn6MC6T-xDmMuxCOG 
7S2rscw51QQUO6MvZTlFOtOUvfuKBa03cxA nIBIhLMjY2kOTxOMmpDP 
Tr6Cbo8aKaOnx6ASE5Jx9paBpnNmOOKH35j OlrQhDWUN6A2Gg8iFayJ 
69xDEGHAVCGRZN3woEI2o0zDRs", 

"-nBoKLHOYKkLZPSIO", 


"ciphertext": "o4k2cnGN8rSSw3IDolYuySkqeS t2m1GXklSgqBdpACmóo 


UJuJowOHC5yt jaYgRL-I-soPlwqMUf4UgRWWeaOGNw6vGW-xyMO11TYx 
rXfVzIIaRdhYtEMRBvBWbEwP 7ualDRfvaOjgZv6lIfa3brcAM64d8p5lh 
hNcizPersuhwb5f-pGYzseva-TUaL8iWnctc-sSwy7SQmRkfhDjwbzOfz 
6kFovEgj64X115s7E6GLp5fnbYGLalQUiML7Cc2Gxgvl7zqWoOYIEc7a 
CflLG1-8BboVWFdZKLK9vNoycrYHumwzKluLWEbSVmaPpOslY2n525Dx 
DfWaVFUfKOxMF56vn4B90MpWAbnypNimbM8zVOw", 


"Lag": "UCGigqJxhBI3IFVdPalHHvA" 


Figure 94: Flattened JWE JSON Serialization 


5.3. Key Wrap Using PBES2-AES-KeyWrap with AES-CBC-HMAC-SHA2 


The example illustrates encrypting content using the 


"PBES2 
SHA-51 


-HS512-A256KW" (PBES2 Password-based Encryption using HMAC- 


2 and AES-256-KeyWrap) key encryption algorithm with the 


"A128CBC-HS256" (AES-128-CBC-HMAC-SHA-256) content encryption 
algorithm. 


A common use of password-based encryption is the import/export of 
keys. Therefore, this example uses a JWK Set for the Plaintext 
content instead of the Plaintext from Figure 72. 
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Note that if password-based encryption is used for multiple 
recipients, it is expected that each recipient use different values 
for the PBES2 parameters "p2s" and "p2c". 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.3.1. Input Factors 


The following are supplied before beginning the encryption process: 


o Plaintext content; this example uses the Plaintext from Figure 95 
(NOTE: All whitespace was added for readability). 


o Password; this example uses the password from Figure 96 -- with 
the sequence "\xe2\x80\x93" replaced with (U+2013 EN DASH). 


o "alg" parameter of "PBES2-HS512+A256KW". 


o "enc" parameter of "A128CBC-HS256". 


"keys": [ 

{ 
Whey s "oct"; 
"kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a", 
"use": "enc", 
"alg": "A128GCM", 
"k": "XCtOhJAkA-pD9Lh7ZgW 2A" 

), 

{ 
"kty": "oct t, 
"kid": "81b20965-8332-43d9-a468-82160ad91ac8", 
"use": "enc", 
"alg": "A128KW", 
"k": "GZy6sIZ6wl19NJOKB-3nmVQ" 

hy 

{ 
REY: oct; 
"kid": "18ec08e1-bfa9-4d95-b205-2b4dd1d4321d", 
"use": "enc", 
"alg": "A256GCMKW", 
"k": "qC571 uxcm7Nm3K-ct4GFjx8tM1U8CZONLBvdQstis8" 


Figure 95: Plaintext Content 
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entrap_o\xe2\x80\x93peter_long\xe2\x80\x93credit_tun 
Figure 96: Password 
5.3.2. Generated Factors 
The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 97. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 98. 


uwsJJXaBK4070af0_zpcemr1CsOCC5O0hTUEyGNEt3m0 

Figure 97: Content Encryption Key, base64url-encoded 
VBiCzVHNoLiR3F4V82u0TQ 

Figure 98: Initialization Vector, base64url-encoded 


5.3.3.  Encrypting the Key 


The following are generated before encrypting the CEK: 
o Salt input; this example uses the salt input from Figure 99. 
o Iteration count; this example uses the iteration count 8192. 
801SzinasR3xchYz6ZZcHA 

Figure 99: Salt Input, base64url-encoded 


Performing the key encryption operation over the CEK (Figure 97) with 
the following: 


o Password (Figure 96); 

o Salt input (Figure 99), encoded as an octet string; and 
o Iteration count (8192) 

produces the following Encrypted Key: 

d3qNhUWfqheyPp4H8s jOWsDYajoej4c5Je6rlUtFPWdgtURtmeDVl1g 


Figure 100: Encrypted Key, baseó64url-encoded 


Miller Informational [Page 54] 


RFC 7520 JOSE Cookbook May 2015 


5.3.4. Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 101, encoded using base64url [RFC4648] to produce 


Figure 102. 

( 
"alg": "PBES2-HS512+A256KW", 
"p2s": "801SzinasR3xchYz6ZZcHA", 
"p2c": 8192, 
"Cty": "jwk-set-tjson", 
"enc": "A128CBC-HS256" 


Figure 101: JWE Protected Header JSON 
eyJhbGciOiJQOkVTMilIUZzUxMitBMjU2Sl1ciLCJwMnMiOiIlA4UTFTemluYXNSM3 
hjaFl16NlpaYOhBIiwicDJjIjo4MTkyLCJjdHkiOiJqd2stc2VOK2pzb24iLCJl 
bmMiOiJBMTI4QO0JDLUhTMjU2InO 

Figure 102: JWE Protected Header, base64url-encoded 


Performing the content encryption operation over the Plaintext 
(Figure 95) with the following: 


o CEK (Figure 97); 

o Initialization Vector (Figure 98); and 

o JWE Protected Header (Figure 102) as authenticated data 
produces the following: 

o Ciphertext from Figure 103. 


o Authentication Tag from Figure 104. 
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23i-Tb1AV4nNOWKVSSgcOrdg6GRgsUKxjruHXYsTHAJLZ2nsnGIX86vMXqli6IR 
SfywCRFZzLxECZBRnTvG3nhzPkOGDD7FMyXhUHpDjEYCNA XOmzg8yZR9oyjo61l 
TF6si4q9FZ2EhzgFQCLO 6h5EVg3vR75 hkBsnuoqoM3dwejXBtlIodN84PeqMb 
6asmas dpSsz7H10fC5ni9xIz424givBlYLldF6exVmL93R3fOoOJbmk2GBQZL 
.SEGll1v2cQsBgeprARsaQ7Bq99tT80coH81tBjgVO08AtzXFFsx9qKvC982KLKd 
POMTIVJKkqtVARu5LEVpBZXBnZrtViSOgyg6AiuwaS-rCrcD ePOGSuxvgtrok 
AKYPqmXUeRdjFJwafkYEkiuDCV9vWGAilDH2xTafhJwcmywIyzi4BqRpmdn N- 
zl5tuJYyuvKhjKv6ihbsV klhJGPGAxJ6wUpmwCAPTO2izEmOTuSE80MKdTw8V 
3kobXZ7 TulMwDs4p 
Figure 103: Ciphertext, base64url-encoded 
OHlwodAhOCILG5SQ2LQ9dg 
Figure 104: Authentication Tag, base64url-encoded 
5.3.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 102) 
o Encrypted Key (Figure 100) 
o Initialization Vector (Figure 98) 


o Ciphertext (Figure 103) 


o Authentication Tag (Figure 104) 
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The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJQOkVTMilIUZzUxMitBMjU2Sl1ciLCJwMnMiOiIlA4UTFTemluYXNSM3 
hjaFl16NlpaYOhBIiwicDJjIjo4MTkyLCJjdHkiOiJqd2stc2VOK2pzb24iLCJl 
bmMiOiJBMTI4QO0JDLUhTMjU2InO 


d3qNhUWfqheyPp4H8s jOWsDYajoej4c5Je6rlUtFPWdgtURtmeDVl1g 
VBiCzVHNoLiR3F4V82uoTO 


23i-Tbl1AV4AnOWKVSSgcOrdg6GRqsUKxjruHXYsTHAJLZ2nsnGIX86vMXqIi6IR 
SfywCRFZzLxECZBRnTvG3nhzPkOGDD7FMyXhUHpDjEYCNA XOmzg8yZR9oyjo61l 
TF6si4q9FZ2EhzgFQCLO 6h5EVg3vR75 hkBsnuoqoM3dwejXBtlIodN84PeqMb 
6asmas dpSsz7H10fC5ni9xIz424givBlYLldF6exVmL93R3fOoOJbmk2GBQZL 
.SEGll1v2cQOsBgeprARsaQ7Bq99tT80coH81tBjgVO08AtzXFFsx9qKvC982KLKd 
POMTIVJKkqtVARu5LEVpBZXBnZrtViSOgyg6AiuwaS-rCrcD ePOGSuxvgtrok 
AKYPqmXUeRdjFJwafkYEkiuDCV9vWGAilDH2xTafhJwcmywIyzi4BqRpmdn N- 
zl5tuJYyuvKhjKv6ihbsV kl1hJGPGAxJ6wUpmwCAPTO2izEmOTuSE80MKdTw8V 
3kobXZ77ulMwDs4p 


OHlwodAhOCILG5SQ2LQ9dg 


Figure 105: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 
"encrypted key": "d3qNhUWfqgheyPp4H8sjOWsDYajoej4c5Je6rlU 
tFPWdgtURtmeDV1g" 
} 


l; 
"protected": "eyJhbGciOiJQQkVTMilIUzUxMitBMjJU2S1ciLCJwMnMiOi 


I4UTFTemluYXNSM3h3jaF16N1paY0hBIiwicDJjIjo4MTkyLCIjdHkiOi 
Jqd2stc2VOK2pzb24iLCJlbmMiOiJBMTIA4QOJDLUhTMjU2InO", 

"iv": "VBiCzVHNoLiR3FAV82uoTQ", 

"ciphertext": "23i-Tb1AVA4nOWKVSSgcOrdg6GRqsUKxjruHXYsTHAJLZ2 
nsnGIX86vMXqIi6IRsfywCRFzLxECZBRnTvG3nhzPkOGDD7FMyXhUHpD 
jEYCNA XOmzg8yZR9oyjo6lTF6si4q9FZ2bEhzgFOCLO 6h5EVg3vR75 
hkBsnuoqoM3dwe jXBt lodN84PeqMb6asmas_dpSsz7H10fC5ni9xIz42 
AgivBlYLldF6exVmL93R3fOoOJbmk2GBOQZL SEGllv2cQsBgeprARsaQ 
7Bq99tT80coH8ItBjgVO08AtzXFFsx9qKvC982KLKdPOMTlVJKkqtV4Ru 
5LEVpBZXBnZzrtViSOgyg6AiuwaS-rCrcD ePOGSuxvgtrokAKYPqmXUe 
RdjFJwafkYEkiuDCV9vWGAilDH2xTafhJwcmywIyzi4BqRpmdn N-z15 
tuJgYyuvKhjKv6ihbsV kl1hJGPGAxJ6wUpmwCAPTO2izEmOTuSE80MKdT 
w8V3kobXZ77ulMwDs4p", 

"tag": "OHlwodAhOCILG5SQ2LOQ9dg" 


Figure 106: General JWE JSON Serialization 


Miller Informational [Page 58] 


RFC 7520 JOSE Cookbook May 2015 


5. 


The resulting JWE object using the flattened JWE JSON Serialization: 


{ 
"protected": "eyJhbGciO0iJQOKVTMilTUZUXMitBM3jU2S1ciLCJwMnMiOi 


I4UTFTemluYXNSMGhjaFl16NlpaYOhBIiwicDJjIjo4MTkyLCJjdHkiOi 
Jqd2stc2VOK2pzb24iLCJlbmMiOiJBMTIA4QOJDLUhTMjU2InO", 
"encrypted key": "d3gNhUWfqheyPp4H8sjOWsDYajoej4c5Je6rlUtFPW 
dgtURtmeDV1g", 

"iv": "VBiCzVHNoLiR3FAV82uoTQ", 

"ciphertext": "23i-Tb1AVA4nOWKVSSgcOrdg6GRqsUKxjruHXYsTHAJLZ2 
nsnGIX86vMXqIi6IRsfywCRFzLxECZBRnTvG3nhzPkOGDD7FMyXhUHpD 
jEYCNA XOmzg8yZR9oyjo6lTF6si4q9FZ2EhzgFOCLO 6h5EVg3vR75 
hkBsnuoqoM3dwejXBtlIodN84PegMb6asmas dpSsz7H10fC5ni9xIz42 
AgivBlYLldF6exVmL93R3fOoOJbmk2GBOZL SEGllv2cQsBgeprARsaQ 
7Bq99tT80coH8ItBjgVO08AtzXFFsx9qKvC982KLKdPOMTlVJKkqtV4Ru 
5LEVpBZXBnZzrtViSOgyg6AiuwaS-rCrcD ePOGSuxvgtrokAKYPqmXUe 
RdjFJwafkYEkiuDCV9vWGAilDH2xTafhJwcmywIyzi4BqRpmdn N-z15 
tuJgYyuvKhjKv6ihbsV kl1hJGPGAxJ6wUpmwCAPTO2izEmOTuSE80MKdT 
w8V3kobXZ77ulMwDs4p", 

"tag": "OHlwodAhOCILG5SQ2LOQ9dg" 


Figure 107: Flattened JWE JSON Serialization 


4. Key Agreement with Key Wrapping Using ECDH-ES and AES-KeyWrap with 
AES-GCM 


This example illustrates encrypting content using the "ECDH- 
ES+A128KW" (Elliptic Curve Diffie-Hellman Ephemeral-Static with AES- 
128-KeyWrap) key encryption algorithm and the "A128GCM" (AES-GCM) 
content encryption algorithm. 


Note that only the EC public key is necessary to perform the key 
agreement. However, the example includes the EC private key to allow 
readers to validate the output. 


Note that whitespace is added for readability as described in 
Section 1.1. 


.4.1. Input Factors 


The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 


o EC public key; this example uses the public key from Figure 108. 
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o "alg" parameter of "ECDH-ES+A128KW". 
o "enc" parameter of "A128GCM". 
{ 
" kty" : "EC " y 
"kid": "peregrin.took@tuckborough.example", 
"use": "enc", 
"crv": "p-384", 
"x": "YU4rRUZAamVqmRtWOs20pDE_T5fsNIodcG8G5FWPrTPMyxpzsSOGaQL 
pe2FpxBmu2", 
"y": "A8-yxCHXkfBz3hKZfI1jUYMjUhsEveZ9THuwFjH2sCNdtksRJU7D5- 
SkgaFL1ETP", 
"d": "iTx2pk7wW-GqJIkHcEkFOb2EFyYcO7RugmaW3mRrQVAOUiPommTO0lIdn 
YK2xD1Zh-3" 


(NOTE: While the key includes the private parameters, 


Figure 108: Elliptic Curve P-384 Key, in JWK Format 


parameters "crv", "x", and "y" are necessary for the encryption 
operation.) 


5.4.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 109. 


o Initialization Vector; 


from Figure 110. 


Nou2ueK1P70ZXDbq9UrRwg 


Figure 109: Content Encryption Key, base64url-encoded 


mH-G2zVqgztUtnW . 


Figure 110: Initialization Vector, base64url-encoded 


5.4.3.  Encrypting the Key 


To encrypt the Content Encryption Key, 


2015 


only the public 


this example uses the Initialization Vector 


the following is generated: 


o Ephemeral EC private key on the same curve as the EC public key; 
this example uses the private key from Figure 111. 
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"kty" : "Ec. 

"cry" "pe384"; 

"x": "uBo4kHPw6kb3x510xowrd_oYzBmaz-GKFZu4xAFFkbYiWgutEK6iuE 
DsQ6wNdNg3", 

"y": "sp3p5SGhZVC2faXumI-e9JU2MOo8KpoYrFDr5yPNVtWAPgEWwZOyQTA- 
JdaY8tb7EO0", 

"d": "D5HAY 5PSKZvhfVFbcCYJOtcGZygRgfZkpsBr59Icmmhe9sW6nkZ8W 
fwhinUfWJg" 


Figure 111: Ephemeral Elliptic Curve P-384 Key, in JWK Format 


Performing the key encryption operation over the CEK (Figure 109) 
with the following: 


o The static Elliptic Curve public key (Figure 108); and 
o The ephemeral Elliptic Curve private key (Figure 111) 
produces the following JWE Encrypted Key: 
ODJjBXri kBcCA46IKkU5 Jk9BqaQeHdv2 
Figure 112: Encrypted Key, base64url-encoded 
5.4.4.  Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 113, encoded to base64url [RFC4648] as Figure 114. 


"alg": "ECDH-ES+A128KW", 
"kid": "peregrin.took@tuckborough.example", 
"epk" : { 
"kty" : TEC, 
TOPY MP=384"; 
"x": "uBo4kHPw6kb3jx510xowrd_oYzBmaz-GKFZu4xAFFkbYiWgutEK6i 
uEDsQ6wNdNg3", 
"y": "sp3p5SGhZVC2faXumlI-e9JU2MO8KpoYrFDr5yPNVtW4PgEwZOyQT 


A-JdaY8tb7E0" 


), 
"enc": "A128GCM" 


Figure 113: JWE Protected Header JSON 
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eyJhbGciOiJFQORILUVTKOExMjhLVyIsImtpZCI6InBlcmVncmluLnRvb2tAdH 
Vja2Jvcm91Z22guZXhhbXBsZSIsImVwayl6eyJrdHkiOiJFQyIsImNydil6IllAt 
MzgÜIiwieCI6InVCbzRrSFB3NmtianglbDBA4b3dyZF9vWXpCbWFO6LUGLRlp1NH 
hBRkZrYllpV2dl1dEVLNml1RURZzUTZ3TmROZzMiLCJ5Ijoic3AzcDVTR2haVkMy 
ZmFYdW1JLWU5SlUyTW84S3BvWXJGRHIleVBOVnRXNFBnRXdaT3l1RVEEtSmRhWT 
h0OYjdFMCJ9LCJlbmMiOiJBMTIA4RONNInO 

Figure 114: JWE Protected Header, baseó64url-encoded 


Performing the content encryption operation on the Plaintext 
(Figure 72) using the following: 


o CEK (Figure 109); 
o Initialization Vector (Figure 110); and 
o JWE Protected Header (Figure 114) as authenticated data 
produces the following: 
o Ciphertext from Figure 115. 
o Authentication Tag from Figure 116. 
tkzuOO9h950gHJUmkkrfLBisku8rGf6nzVxhRM3sVOhXgz5NJ7601ID71pnAi cP 
WJRCjSpAaUZ5dOR3Spy7QuEkmEKx8-3RCMhSYMzsXaEwDdXta9Mn5B7cCBoJKBO 
IgEnj qgfolhli-uEkUpOZ8aLTZGHfp105jMwbKkTe2yK3mjF6SBAsgicODVCkc 
Y9BLluzxl1RmC3ORXaMOJaHPB93YcdSDGgpgBWMVrNUIErkjcMqMoT wtCex3w0 
3XdLkjXIuEr2hWgeP-nkUZTPU9EOGSPj6fAS-bSz8"7RCPrxZdj iVyC6QWcqgAu 
07WNhjzJEPc4jVntRJ6K53NgPQ5p9913Z24080Uqj4ioYezbS6vTPlO 

Figure 115: Ciphertext, base64url-encoded 


WuGzxmcreYjpHGJoal7EBg 


Figure 116: Authentication Tag, base64url-encoded 
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5.4.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 114) 
o Encrypted Key (Figure 112) 
o Initialization Vector (Figure 110) 
o Ciphertext (Figure 115) 
o Authentication Tag (Figure 116) 
The resulting JWE object using the JWE Compact Serialization: 
eyJhbGciOiJFQORILUVTKOExMjhLVyIsImtpZCI6InBlcmVncmluLnRvb2tAdH 
Vja2Jvcm91Z22guZXhhbXBsZSIsImVwayIl6eyJrdHkiOiJFQyIsImNydil6IllAt 
MzgÜIiwieCI6InVCbzRrSFB3NmtianglbDBA4b3dyZF9vWXpCbWFO6LUGLRlp1NH 
hBRkZrYllpV2dl1dEVLNml1RURZzUTZ3TmROZzMiLCJ5Ijoic3AzcDVTR2haVkMy 
ZmFYdW1JLWU5SlIUyTW84S3BvWXJGRHIleVBOVnRXNFBnRXdaT3l1RVEEtSmRhWT 
h0OYjdFMCJ9LCJlbmMiOiJBMTIA4RONNInO 
ODJjBXri kBcCA46IKkU5 Jk9BqaQeHdv2 
mH-G2zVqgztUtnW . 
tkzuOO9h950gHJUmkkrfLBisku8rGf6nzVxhRM3sVOhXgz5NJ760ID71pnAi cP 
WJRCjSpAaUZ5dOR3Spy7QuEkmKx8-3RCMhSYMzsXaEwDdXta9Mn5B7cCBoJKBO 
IgEnj qgfolhli-uEkUpOZ8aLTZGHfpl105jMwbKkTe2yK3mjF6SBAsgicODVCkc 
Y9BLluzxl1RmC3ORXaMOJaHPB93YcdSDGgpgBWMVrNUIErkjcMqMoT wtCex3w0 
3XdLkjXIuEr2hWgeP-nkUZTPUO9EOGSPj6fAS-bSz8"7RCPrxZdj iVyC6QWcqgAu 
07WNhjzJEPc4jVntRJ6K53NgPQ5p9913Z24080Uqj4ioYezbS6vTPlOQ 
WuGzxmcreYjpHGJoal7EBg 


Figure 117: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 


"recipients": [ 
{ 
"encrypted key": "ODJjBXri kBcCA6IKkU5 Jk9BqaQeHdv2" 
} 
l; 
"protected": "eyJhbGciOiJFQORILUVTKOExMjhLVyIsImtpZCI6InBlcm 


VncmluLnRvb2tAdHVja2Jvcm9122guZXhhbXBsZSIsImVwayIl6eyJrdH 
kiOiJFOQyIsImNydil6IlAtMzgOliwieCI6InVCbzRrSFB3NmtianglbD 
B4b3dyZF9vWXpCbWF6LUGdGLRIplNHhBRkZrYllpV2dl1dEVLNml1RURzUT 
Z3TmROZzMiLCJ5Ijoic3AzcDVTR2haVkMyZmFYdW1JLWU5S1UyTW84S3 
BvWXJGRHIl1eVBOVnRXNFBnRXdaT3lRVEEtSmRhWThOYjdFMCJ9LCJlbm 
MiOiJBMTIA4RONNInO", 

"iv": "mH-G2zVqgztUtnW ", 

"ciphertext": "tkZuOO9h950gHJUmkkrfLBisku8rGf6nzVxhRM3sVOhXgz 
5NJ760ID7l1pnAi cPWJRCjSpAaUZ5dOR3Spy7QuEkmKx8-3RCMhSYMzs 
XaEwDdXta9Mn5B7cCBoJKBOIgEnj qfolhIi-uEkUpOZ8aLTZGHfpl05 
jMwbKkTe2yK3mjF6SBAsgicQDVCkcY9BLluzx1RmC3ORXaMOJaHPB93Y 
cdSDGgpgBWMVrNU1IErkjcMqMoT wtCex3w03XdLkjXIuEr2hWgeP-nkU 
ZTPUS9EOGSPj6fAS-bSz87RCPrxZdj iVyC6QWcqAu07WNhjzJEPc4jVn 
tRJ6K53NgPQ5p991324080Uqj4ioYezbS6vTPlO", 

"tag": "WuGzxmcreYjpHGJoal7EBg" 


Figure 118: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJFQORILUVTKOExMjhLVyIsImtpZCI6InBlcm 
VncmluLnRvb2tAdHVja2Jvcm9122guZXhhbXBsZSIsImVwayl6eyJrdH 
kiOiJFQyIsImNydil6IlAtMzgOliwieCI6InVCbzRrSFB3NmtianglbD 
B4b3dyZF9vWXpCbWF6LUdGLRlplNHhBRkZrYllpV2dl1dEVLNml1RURZzUT 
Z3TmROZzMiLCJ5Ijoic3AzcDVTR2haVkMyZmFYdW1JLWU5S1UyTW84S3 
BvWXJGRHIl1eVBOVnRXNFBnRXdaT3lRVEEtSmRhWThOYjdFMCJ9LCJlbm 
MiOiJBMTIA4RONNInO", 

"encrypted key": "ODJjBXri kBcCA6IKkU5 Jk9BqaQeHdv2", 

"iv": "mH-G2zVqgztUtnW ", 

"ciphertext": "tkZuOO9h950gHJUmkkrfLBisku8rGf6nzVxhRM3sVOhXgz 
5NJ760ID7l1pnAi cPWJRCjSpAaUZ5dOR3Spy7QuEkmKx8-3RCMhSYMzs 
XaEwDdXta9Mn5B7cCBoJKBOIgEnj qfolhIi-uEkUpOZ8aLTZGHfpl05 
jMwbKkTe2yK3mjF6SBAsgicQODVCkcY9BLluzx1RmC3ORXaMOJaHPB93Y 
cdSDGgpgBWMVrNUIErkjcMqMoT wtCex3w03XdLkjXIuEr2hWgeP-nkU 
ZTPUS9EOGSPj6fAS-bSz87RCPrxZdj iVyC6QWcqAu07WNhjzJEPc4jVn 
tRJ6K53NgPQ5p991324080Uqj4ioYezbS6vTPlO", 

"tag": "WuGzxmcreYjpHGJoal7EBg" 


Figure 119: Flattened JWE JSON Serialization 

5.5. Key Agreement Using ECDH-ES with AES-CBC-HMAC-SHA2 
This example illustrates encrypting content using the "ECDH-ES" 
(Elliptic Curve Diffie-Hellman Ephemeral-Static) key agreement 
algorithm and the "A128CBC-HS256" (AES-128-CBC-HMAC-SHA-256) content 
encryption algorithm. 
Note that only the EC public key is necessary to perform the key 
agreement. However, the example includes the EC private key to allow 


readers to validate the output. 


Note that whitespace is added for readability as described in 
Section 1.1. 
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5.5.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 
o EC public key; this example uses the public key from Figure 120. 
o "alg" parameter of "ECDH-ES". 


o "enc" parameter of "A128CBC-HS256". 


" kty" : "EC " A 

"kid": "meriadoc.brandybuck@buckland.example", 
"use": "enc", 

tory": "p-256", 

"x": "Ze2loSV3wrroKUN_4zhwGhCqo3xhultd4QjeQ5wIVRO", 
"y": "HILtdXARY f55A3fnzQbPcmó6hgr34Mp8p-nuzQCEOZw", 
"dj": "r kHyZ-a06rmxM3yESK84rlotSg-aQcVStkRhA-iCM8" 


Figure 120: Elliptic Curve P-256 Key 
(NOTE: While the key includes the private parameters, only the public 
parameters "crv", "x", and "y" are necessary for the encryption 
operation.) 
5.5.2. Generated Factors 


The following is generated before encrypting: 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 121. 


yc9N8v5sYyv3iGQT9261Ug 
Figure 121: Initialization Vector, base64url-encoded 


NOTE: The Content Encryption Key (CEK) is not randomly generated; 
instead, it is determined using ECDH-ES key agreement. 
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5.5.3. Key Agreement 
The following is generated to agree on a CEK: 


o Ephemeral private key; this example uses the private key from 


Figure 122. 

{ 
"kty" : "ECT, 
nory": "p-256", 
"x": "mPUKT bAWGHIhgOTpjjqVsPl1rXWQu vwVOHHtNkdYoA", 
"y": "8BOAsImGeASA6fyWw5MhYfGTTOIjBpFw2SS34Dv4Irs", 
"d": "AtH35vJsQ9SGjYfOsjUxYXOKrPH3FjZHmECtSKoSN8cM" 


Figure 122: Ephemeral Private Key, in JWK Format 
Performing the ECDH operation using the static EC public key 
(Figure 120) over the ephemeral private key (Figure 122) produces the 
following CEK: 


hzHdlfQIAEehb8Hrd mFRhKsKLEzPfshfXs9l6areCc 


Figure 123: Agreed-to Content Encryption Key, base64url-encoded 


5.5.4.  Encrypting the Content 
The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 124, encoded to base64url [RFC4648] as Figure 125. 


"alg": "ECDH-ES", 
"kid": "meriadoc.brandybuck@buckland.example", 
"epk" : { 
"kty" : "ECT 
Morv™s "P=256", 
"x": "mPUKT bAWGHIhgOTpjjqVsPl1rXWQu vwVOHHtNkdYoA", 
"y": "S8BOQAsImGeASA46fyWw5MhYfGTTOIjBpFw2SS34Dv4Irs" 
hy 
"enc": "A128CBC-HS256" 


Figure 124: JWE Protected Header JSON 
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eyJhbGciOiJFQORILUVTIiwia2lkIjoibWVyaWFkb2MuYnJhbmR5YnVjaOBidW 
NrbGFuZC5leGFtcGxlliwiZXBrIjp7ImtOeSI6IKkVDIiwiY3J21joiUCOyNTYi 
LCJAIjoibVBVS1RfYkFXROhJaGcwVHBqanFWclAxclhXUXVfdndWTOhIdE5rZF 
lvQSIsInkiOil4QlFBCcOltR2VBUzQ2ZnlXdzVNaFlmR1RUMElqQOnBGdzJTUzMO 
RHYOSXJzInO0sImVuYyIl6IkExMjhDOkMtSFMyNTYifQ 

Figure 125: JWE Protected Header, base64url-encoded 


Performing the content encryption operation on the Plaintext 
(Figure 72) using the following: 


o CEK (Figure 123); 
o Initialization Vector (Figure 121); and 
o JWE Protected Header (Figure 125) as authenticated data 
produces the following: 
o Ciphertext from Figure 126. 
o Authentication Tag from Figure 127. 
BoDlwPnTypYq-ivjmQvAYJLb5Q61-F3LIgOQomlz87yWA4OPKbWElzSTEFjDfhU9 
IPIOSA9Bml4m7iDFwA-1ZXvHteLDtwA4R1XRGMEsDIqAYtskTTmzmzNa- g4F e 
vAPUmwlO-ZG45Mnq4uhMlfm D9rBtWolqzSF3xGNNkpOMOKF1C18i8wjzRli7- 
IXgyirlKOsbhhqRzkv81lcY6aH124j03C-AR21elr7URUhArM79BY8soZUOlzwI 
-sD5PZ314NDCCei9XkoIlAfsXJWmySPoeRb2Ni5UZLAmYpvKDiwmyzGd65KqVw7 
MsFfI K767G9C9Azp73gKZDODyUnlmnOWW5LmyX yJ-3AROq8p1WZBfG-ZyJ61 
95 JGG2m9Csg 
Figure 126: Ciphertext, base64url-encoded 
WCCkNa-x4BeB9hIDIfFuhg 
Figure 127: Authentication Tag, base64url-encoded 
5.5.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 114) 
o Initialization Vector (Figure 110) 


o Ciphertext (Figure 115) 


o Authentication Tag (Figure 116) 
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Only the general JWE JSON Serialization is presented because the 
flattened JWE JSON Serialization is identical. 


The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJFQORILUVTIiwia2lkIjoibWVyaWFkb2MuYnJhbmR5YnVjaOBidW 
NrbGFuZC5leGFtcGxlliwiZXBrIjp7ImtOeSI6IkVDIiwiY3J21joiUCOyNTYi 
LCJAIjoibVBVS1RfYkFXROhJaGcwVHBqanFWclAxclhXUXVfdndWTOhIdE5rZF 
lvQSIsInkiOil4QlFBCOltR2VBUzQ2ZnlXdzVNaFlmR1RUMElqQOnBGdzJTUzMO 
RHYOSXJzInO0sImVuYyIl6IkExMjhDOkMtSFMyNTYifQ 


yc9N8v5sYyv3iGQT9261Ug 


BoDlwPnTypYq-ivjmQvAYJLb5Q61-F3LIgOQomlz87yWA4OPKbWElzSTEFjDfhU9 
IPIOSA9Bm1 4m7iDFwA-1ZXvHteLDtw4R1XRGMEsDIgqAYtskTTmzmzNa-_q4F_e 
vAPUmwlO-ZG45Mnq4uhMlfm D9rBtWolqZzSF3xGNNkpOMOKF1C18i8wjzRli7- 
IXgyirlKOsbhhqRzkv8lcY6aH124j03C-AR21elr7URUhArM79BY8soZUOlzwI 
-sD5PZ314NDCCei 9XkoIAfsXJWmySPoeRb2Ni5UZL4mYpvKDiwmyzGd65KqVvw”7 
MsFfI K767G9C9Azp73gKZDODyUnlmnOWW5LmyX yJ-3AROq8p1WZBfG-ZyJ61 
95 JGG2m9Csg 


WCCkNa-x4BeB9hIDIfFuhg 
Figure 128: JWE Compact Serialization 
The resulting JWE object using the general JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJFQORILUVTIiwia21kIjoibWVyaWFkb2MuYn 
JhbmR5YnVja0OBidWNrbGFuZC5leGFtcGxlliwiZXBrIljp7ImtOeSI6Ik 
VDIiwiY3J21joiUCOyNTYiLCJAIjoibVBVSl1RfYkFXROhJaGcwVHBqan 
FWclAxclhXUXVfdndWTOhIGdE5rZFlvOQSIsInkiOil4QlFBcOltR2VBUz 
Q2Z2nlXdzVNaFlmR1RUMElqQnBGdzJTUzMORHYOSXJzInOsImVuYyIO6Ik 
ExMjhDQkMtSFMyNTYifQ", 

"iv": "yc9N8v5sYyv3iGQT9261Ug", 

"ciphertext": "BoDlwPnTypYq-ivjmQvAYJLb5061-F3LIgQom1z87yW40 
PKDWE1ZSTEF JDFHUIIPIOSA9Bm1 4m7iDFwA-1ZXvHteLDtw4R1XRGMEs 
DIQAYtskTTImzmzNa-_q4F_evAPUmw10-ZG45Mnq4uhM1fm_D9rBtWolq 
ZSF3xGNNkpOMOKF1C18i8wjzRli7-IXgyirlKOsbhhqRzkv81lcY6aHl2 
4j03C-AR21e1r7URUhArM79BY8soZUOlzwI-sD5PZ314NDCCei9XkoIlA 
fsXJWmySPoeRb2Ni5UZL4mYpvKDiwmyzGd65KqVw7MsFfl K767G9C9A 
zp7/3gKZDODyUnlmnOWW5LmyX yJ-3AROq8p1WZBfG-ZyJ6195 JGG2m9 
Csg" P 

"tag": "WCCkNa-x4BeB9hIDIfFuhg" 


Figure 129: General JWE JSON Serialization 
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5.6. Direct Encryption Using AES-GCM 
This example illustrates encrypting content using a previously 
exchanged key directly and the "A128GCM" (AES-GCM) content encryption 
algorithm. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.6.1. Input Factors 
The following are supplied before beginning the encryption process: 


o Plaintext content; this example uses the content from Figure 72. 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 130. 


o "alg" parameter of "dir". 


o "enc" parameter of "A128GCM". 


"kty": "oct"; 

"kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a", 
"use": "enc", 

"alg": "A128GCM", 

"k": "XctOhJAkA-pD9Lh7ZgW_2A" 


Figure 130: AES 128-Bit Key, in JWK Format 
5.6.2. Generated Factors 
The following is generated before encrypting: 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 131. 


refa1670zzKx60AB 


Figure 131: Initialization Vector, base64url-encoded 
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5.6.3. Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 132, encoded as base64url [RFC4648] to produce Figure 133. 


Palos "dir", 
"kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a", 
"enc": "A128GCM" 


Figure 132: JWE Protected Header JSON 


eyJhbGciOiJkaXIiLCJraWQiOil3N2M3ZTJiOCO2ZTEzLTOlY2YtODY3Mi02MT 
diNWIONTIOM2EiLCJlbmMiOiJBMTIA4RONNInO 


Figure 133: JWE Protected Header, baseó64url-encoded 


Performing the encryption operation on the Plaintext (Figure 72) 
using the following: 


o CEK (Figure 130); 
o Initialization Vector (Figure 131); and 
o JWE Protected Header (Figure 133) as authenticated data 
produces the following: 
o Ciphertext from Figure 134. 
o Authentication Tag from Figure 135. 
JW i f52hww ELOPGaYyeAB6HYGCR55919TYnSovc23XJoBcW29rHP8yZOZG7Y 
hLpT1bjFuvZPjOS-mOIFtVcXkZXdH lr FrdYt9HRUYkshtrMmIUAyGmUnd9zM 
DB2nOCRDIHAzFVeJUDXxkUwVAE7 YGRPdcqMyiBoCO-FBdE-Nceb4h3-FtBP-c 
BIwCPT jb900SbdcdREEMJMy ZBH8ySWMVilgPD9yxi-aQpGbSv_FIN4IZAxscj5 
g-NJsUPbjk29-s7LJAGb15wEBt XphVvCgyy53CoIKLHHeJHXex45Uz9aKZSRSIn 
ZI-wjsYOyu3cTA aQ3ilo-tiE-F81l0s61EKgyIQA4CWao8PFMj8TTnp 

Figure 134: Ciphertext, base64url-encoded 


vbb32Xvllea20tmHAdccRQ 


Figure 135: Authentication Tag, base6é4url-encoded 
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5.6.4. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 133) 
o Initialization Vector (Figure 131) 
o Ciphertext (Figure 134) 
o Authentication Tag (Figure 135) 


Only the general JWE JSON Serialization is presented because the 
flattened JWE JSON Serialization is identical. 


The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJkaXIiLCJraWQiOil3N2M3ZTJiOCO2ZTEzLTOl1Y2YtODY3Mi02MT 
diNWIONTIOM2EiLCJlbmMiOiJBMTIA4RONNInO 


refa4670zzKx6QAB 


JW i f52hww ELOPGaYyeAB6HYGCR55919TYnSovc23XJoBcW29rHP8yZOZG7Y 
hLpT1bjFuvZPjOS-mOIFtVcXkZXdH lr FrdYt9HRUYkshtrMmIUAyGmUnd9zM 
DB2n0cRDIHAZFVeJUDxkUWVAE7_YGRPdcqMyiBoCO-FBdE-Nceb4h3-FtBP-c_ 
BIwCPTjb900SbdcdREEMJMyZBH8ySWMVilgPD9yxi-aQpGbSv F9NAIZAxscj5 
g-NJSUPDbjk29-s7LJAGb15wEBtXphVCgyy53CoIKLHHeJHXex45Uz9aKZSRSIn 
ZI-wjsYOyu3cTA aQ3ilo-tiE-F810s61EKgyIQ4CWao8PFMj8TTnp 


vbb32Xvllea20tmHAdccRQ 


Figure 136: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJkaXIiLCJraWQiOiIl3N2M3ZTJiOCO2ZTEzLT 
QO1Y2YtODY3MiO2MTdiNWIONTIOM2EiLCJlbmMiOiJBMTIARONNInO", 

"iv": "refa467QzzKx6QAB", 

"ciphertext": "JW i f52hww ELOPGaYyeAB6HYGCR55919TYnSovc23XJ 
OBCcW29rHP8yZOZG7YhLpT1bjFuvZPjOS-mOIFtVcXkZXdH lr FrdYt9 
HRUYkshtrMmIUAyGmUnd9zMDB2nOcRDIHAZzFVeJUDxkUwVAE7 YGRPdc 
qMy iBoCO-FBdE-Nceb4h3-FtBP-c_BIwCPT jb900SbdcdREEMJMyZBH8 
ySWMVilgPD9yxi-aQpGbSv F9NAIZAxsCj5g-NJSUPbjk29-s7LJAGD1 
5wEBtXphVCgyy53CoIKLHHeJHXex45Uz9aKZSRSInZI-wjsYOyu3cTA 
aQ3ilo-tiE-F8los61EKgylOA4CWao8PFMj8TTnp", 

"Lag": "vbb32Xvllea20tmHAdccRQ" 


Figure 137: General JWE JSON Serialization 

5.7. Key Wrap Using AES-GCM KeyWrap with AES-CBC-HMAC-SHA2 
This example illustrates encrypting content using the "A256GCMKW" 
(AES-256-GCM-KeyWrap) key encryption algorithm with the "A128CBC- 


HS256" (AES-128-CBC-HMAC-SHA-256) content encryption algorithm. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.7.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 
o AES symmetric key; this example uses the key from Figure 138. 
o "alg" parameter of "A256GCMKW". 


o "enc" parameter of "A128CBC-HS256". 
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"kty": "oct"; 
"kid": "18ec08e1-bfa9-4d95-b205-2b4dd1d4321d", 
"use": "enc", 
"alg": "A256GCMKW", 
"k": "qC571 uxcm7Nm3K-ct4GFjx8tM1U8CZONLBvdQstis8" 
} 
Figure 138: AES 256-Bit Key 
5.7.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 139. 


o Initialization Vector for content encryption; this example uses 
the Initialization Vector from Figure 140. 


UWxARpat23nL9ReI j4WG3Dlee9T4r-Mv5QLuFXdy_rE 
Figure 139: Content Encryption Key, base64url-encoded 
gz6NjyEFNm vm8Gj6FwoFOQ 
Figure 140: Initialization Vector, base64url-encoded 
5.7.3.  Encrypting the Key 
The following is generated before encrypting the CEK: 


o Initialization Vector for key wrapping; this example uses the 
Initialization Vector from Figure 141. 


KkYTOGX 2jHlfqN 


Figure 141: Initialization Vector for Key Wrapping, base64url-encoded 
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Performing the key encryption operation over the CEK (Figure 139) 
with the following: 

o AES symmetric key (Figure 138); 

o Initialization Vector (Figure 141); and 

o The empty string as authenticated data 

produces the following: 

o Encrypted Key from Figure 142. 

o Authentication Tag from Figure 143. 

lJf3HbOApxMEBkCMOoTnnABxs CvTWUmZQ2ElLvYNok 

Figure 142: Encrypted Key, base64url-encoded 

kfPduVQ3T3H6vnewt--ksw 

Figure 143: Authentication Tag from Key Wrapping, base64url-encoded 
5.7.4.  Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 144, encoded to base64url [RFC4648] as Figure 145. 


"alg": "A256GCMKW", 

"kid": "18ec08el-bfa9-4d95-b205-2b4dd1d4321d", 
"Lag": "kfPduVQ3T3H6vnewt--ksw", 

"iv": "KkYTOGX 2jHlfqN ", 

"enc": "A128CBC-HS256" 


Figure 144: JWE Protected Header JSON 
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eyJhbGciOiJBMjU2RONNS1ciLCJraWQiOilxOGVjMDhlMS1iZmE5LTRkOTUtYj 
IwNSOyYjRkZDFkNDMyMWOiLCJOYWciOiJrZlBkdVZRM1QzSDZ2bmV3dCOta3N3 
IiwiaXYiOiJLallUMEdYXzJqSGxmcU5fIliwiZW5jlIjoiOQTEyOENCOylIUZzIlNi 
J9 

Figure 145: JWE Protected Header, baseó64url-encoded 


Performing the content encryption operation over the Plaintext 
(Figure 72) with the following: 


o CEK (Figure 139); 
o Initialization Vector (Figure 140); and 
o JWE Protected Header (Figure 145) as authenticated data 
produces the following: 
o Ciphertext from Figure 146. 
o Authentication Tag from Figure 147. 
Jf5p9-ZhJlJy IQ byKFmIORo7w7GlOiaZpI180aiVgD8kEqoDZHyFKFBupS8iaE 
eVIgMqWmsuJKuoVgzR3YfzoMd3GxEm3VxNhzWyWtZzKXOgxKdy6HgLvqoGNbZCz 
LjgcpDiF8q2 62kbEVAbr2uSc2oaxFmFuIOHLCqAHxy51449xkjZ7ewzZaGV3eFq 
hpco804DijXaG5 7kp3h2cajRfDgymuxUbWgLqaeNQaJtvJmSMFuEOSAzw9Hde 
b6yhdTynCRmu-kqtO5Dec41T20MZKpnxc F1 AyDJFcqb5CiDSmA-psB2k0Jtj 
XAjAUPI6100NK7zzFIu4AgBfjJCndsZfdvG7h8wGjV980hrKEnR7xKZ3KCrO0 qgR 
1B-gxpNk3xWU 

Figure 146: Ciphertext, base64url-encoded 


DKW73jrb4WaRSNfbXVP1T5g 


Figure 147: Authentication Tag, base6é4url-encoded 
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5.7.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 145) 
o Encrypted Key (Figure 142) 
o Initialization Vector (Figure 140) 
o Ciphertext (Figure 146) 
o Authentication Tag (Figure 147) 
The resulting JWE object using the JWE Compact Serialization: 
eyJhbGciOiJBMjU2RONNS1ciLCJraWQiOilxOGVjMDhlMS1iZmE5LTRkOTUtYj 
IwNSOyYjRkZDFkNDMyMWOQiLCJOYWciOiJrZlBkdVZRM1QzSDZ2bmV3dCOta3N3 
IiwiaXYiOiJLallUMEdYXzJqSGxmcU5fIliwiZW5jlIjoiOTEyOENCOylIUzIlNi 
J9 
lJf3HbOApxMEBkCMOoTnnABxs CvTWUmZQ2ElLvYNok 
gz6NjyEFNm vm8Gj6FwoFOQ 
Jf5p9-ZhJlJy IQ byKFmI0Ro7w7G10iaZpI80aiVgD8EqoDZHyFKFBupS8iaE 
eVIgMqWmsuJKuoVgzR3YfzoMd3GxEm3VxNhzWyWtZzKXOgxKdy6HgLvqoGNbZCz 
LjgcpDiF8q2 62kEVAbr2uSc2oaxFmFuIOHLCqAHxy51449xkjZ7ewzZaGV3eFq 
hpco804DijXaG5 7kp3h2cajRfDgymuxUbWgLqaeNQaJtvJmSMFuEOSAzw9Hde 
b6yhdTynCRmu-kqtO5Dec41T20MZKpnxc F1 AyDJFcqb5CiDSmA-psB2k0Jtj 
XAjAUPI6100NK7zzFIu4gBfjJCndsZfdvG7h8wGjV980hrKEnR7xKZ3KCrO0 qgR 
1B-gxpNk3xWU 
DKW73jrb4WaRSNfbXVP1T5g 


Figure 148: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 


"recipients": [ 
{ 
"encrypted key": "lLJf3HbOApxMEBkCMOoTnnABxs_CvTWUmZQ2E1L 
vYNok" 
} 
l; 
"protected": "eyJhbGciOiJBMjU2RONNS1cCciLCJraWQiOiIxOGVJMDh1MS 


liZmE5LTRkOTUtYjIwNSOyYjRkZDFkNDMyMWOiLCJOYWciOiJrZlBkdV 
ZRMl1QzSDZ2bmV3dCOta3N3liwiaXYiOiJLallUMEdYXzJqSGxmcU5fIi 
wiZW5jIjoiQTEyOENCQylIUzIl1NigJ9", 

"iv": "gz6NjyEFNm vm8Gj6FwoFO", 

"ciphertext": "Jf5p9-ZhJlJy IQ byKFmI0Ro7w7G10iaZpI80aiVgD8E 
goDZHyFKFBupS8iaEeVIgMqwmsuJKuoVgzR3YfzoMd3GxEm3VxNhzWyW 
tZKXOgxKdy6HgLvqoGNbZCzLjqcpDiF8q2 62EVAbr2uSc2oaxFmFuIQ 
HLCgAHxy51449xkjZ7ewzZaGV3eFqhpco804DijXaG5 7kp3h2cajRfD 
gymuxUbWgLqaeNQaJtvJmSMFuEOSAzw9Hdeb6yhdTynCRmu-kqtO5Dec 
41T20MZKpnxc F1 A4yDJFcqb5CiDSmA-psB2k0JtjxAj4UPI6100NK7z 
zFIu4gBfjJCndsZfdvG7h8wGjV98O0hrKEnR7xKZ3KCr0 qR1B-gxpNk3 
xWU", 

"tag": "DKW7jrb4WaRSNfbXVP1T5g" 


Figure 149: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJBMjU2RONNSi1ciLCJpdil6IktrWVQOwRlhfMm 
pIbGZxTl18iLCJraWQiOilxOGVjMDhlMS1iZmE5LTRkOTUtYjIwNSOyY]j 
RkZDFkNDMyMWOiLCJOYWciOiJrZlBkdVZRM1QzSDZ2bmV3dCOta3N3Ili 
wiZW5jIjoiQTEyOENCQylIUzIl1NiJ9", 

"encrypted key": "lLJf3HbOApxMEBkCMOoTnnABxs_CvTWUmZQ2E1LVYNo 
k", 

"iv": "gz6NjyEFNm vm8Gj6FwoFO", 

"ciphertext": "Jf5p9-ZhJlJy IQ byKFmIORo7w7GlOiaZpI80aiVgD8E 
goDZHyFKFBupS8iaEeVIgMqwmsuJKuoVgzR3YfzoMd3GxEm3VxNhzWyW 
tZKXOgxKdy6HgLvqoGNbZCzLjqcpDiF8q2 62EVAbr2uSc2oaxFmFuIOQ 
HLCgAHxy51449xkjZ7ewzZaGV3eFqhpco804DijXaG5 7kp3h2cajRfD 
gymuxUbWgLqaeNQaJtvJmSMFuEOSAzw9Hdeb6yhdTynCRmu-kqtO5Dec 
41T20MZKpnxc F1 4yDJFcqb5CiDSmA-psB2k0JtjxAj4UPI6100NK7z 
zFIu4gBfjJCndsZfdvG7h8wGjV98OQhrKEnR7xKZ3KCr0 qgR1B-gxpNk3 
xWU", 

"tag": "NvBveHr vonkvflfnUrmBQ" 


Figure 150: Flattened JWE JSON Serialization 

5.8. Key Wrap Using AES-KeyWrap with AES-GCM 
The following example illustrates content encryption using the 
"A128KW" (AES-128-KeyWrap) key encryption algorithm and the "A128GCM" 
(AES-128-GCM) content encryption algorithm. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.8.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 
o AES symmetric key; this example uses the key from Figure 151. 
o "alg" parameter of "A128kKW". 


o "enc" parameter of "A128GCM". 
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"kty": "oct", 
"kid": "81b20965-8332-43d9-a468-82160ad91ac8", 
"use": "enc", 
"alg": "A128KW", 
"k": "GZy6sIZ6wl19NJOKB-3nmVQ" 
} 
Figure 151: AES 128-Bit Key 
5.8.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key; this example uses 
the key from Figure 152. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 153. 


aY5 Ghmk9KxWPBLu glxlw 
Figure 152: Content Encryption Key, base64url-encoded 
OxOpmsDa8KnJc9Jo 
Figure 153: Initialization Vector, base64url-encoded 
5.8.3. Encrypting the Key 
Performing the key encryption operation over the CEK (Figure 152) 
with the AES symmetric key (Figure 151) produces the following 
Encrypted Key: 
CBI6oDw8MydIxlIBntf lQcw2MmJKIOx 
Figure 154: Encrypted Key, baseó64url-encoded 
5.8.4. Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 155, encoded to base64url [RFC4648] as Figure 156. 
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"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad9lac8", 
"enc": "A128GCM" 


Figure 155: JWE Protected Header JSON 


eyJhbGciO0iJBMTI4S1cCciLCJraWQi0il4MWIyMDk2NS04MzMyLTOzZZDktYTQ20C 
04MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIARONNInO 


Figure 156: JWE Protected Header, baseó64url-encoded 


Performing the content encryption over the Plaintext (Figure 72) with 
the following: 


o CEK (Figure 152); 
o Initialization Vector (Figure 153); and 
o JWE Protected Header (Figure 156) as authenticated data 
produces the following: 
o Ciphertext from Figure 157. 
o Authentication Tag from Figure 158. 
AwliP-KmWgsZ37BvzCefNen6VTbRK3OMAATkvRkHOtPlbTdhtFJgJxeVmJkLD6 
lA1hnWGetdgllc9ADsnWgL56NyxwSYjUL1ZEHCGkd3EkUOvjHi9gTl1b90qSYFfe 
FOLwkcTtjbYKCsiNJQkcIplyeMO3OmuiYSoYJVSpf7ej6zaYcMv3WwdxDFl8RE 
wOhNImk2X1d2JXq6BR53TSFkyT7PwVLuq-1GwtGHlQeg7gDT6xWOJqHDPn H-p 
uQsmthc9Zg0ojmJfqqgFvETUxLAF-KjcBTS5dNy6egwkYtOt8EIHK-oESsKYtZRa 
a8Z27MOZ7UGXxGIMvEmxrGCPeJal4slv2-gaqgKOkEThkaSqdYwOFkQZF 

Figure 157: Ciphertext, base64url-encoded 


ER7MWJZIFBI NKvn7ZblLw 


Figure 158: Authentication Tag, base64url-encoded 
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5.8.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 156) 
o Encrypted Key (Figure 154) 
o Initialization Vector (Figure 153) 
o Ciphertext (Figure 157) 
o Authentication Tag (Figure 158) 
The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJBMTIA4Sl1ciLCJraWQiOil4MWIyMDk2NS04MzMyLTOzZDktYTQ2OC 
04MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNInO 


CBI6oDw8MydIxlIBntf lQcw2MmJKIOx 

OxOpmsDa8KnJc9Jo 
AwliP-KmWgsZ37BvzCefNen6VTbRK3OMAATkvRkHOtPlbTdhtFJgJxeVmJkLD6 
lA1hnWGetdgllc9ADsnWgL56NyxwSYjUlZEHCGkda3EkUOvjHi9gTlb90qSYFfe 
FOLwkcTtjbYKCsiNJQkcIplyeMO3OmuiYSoYJVSpf7ej6zaYcMv3WwdxDFl8RE 
wOhNImk2X1d2JXq6BR53TSFkyT7PwVLuq-1GwtGHlQeg7gDT6xWOJqHDPn H-p 
uQsmthc9Zg0ojmJfqqgFvETUxLAF-KjcBTS5dNy6egwkYtOt8EIHK-oESKYtZRa 
a8Z27MOZ7UGxGIMvEmxrGCPeJal4slv2-gaqgKOkEThkaSqdYwOFkQZF 
ER7MWJZ1FBI NKvn7ZblLw 


Figure 159: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 
"encrypted key": "CBI60Dw8MydIxlIBntf lOcw2MmJKIOx" 
) 

l; 

"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQiOiI4MWIyMDk2NS04Mz 
MyLTOzZDktYTQ2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNIn 
Q0. 

"iv": "OxOpmsDa8KnJc9Jo", 

"ciphertext": "AwliP-KmWgsZ37BvzCefNen6VTbRK3OMAATkvRkHOtP1b 
TdhtFJgJxeVmJkLD61AlhnWGetdgll1c9ADsnWgL56NyxwSYjUlZEHCGk 
d3EkUOvjHi9gTl1b90qSYFfeFOLwkcTtjbYKCsiNJOkcIplyeMO3OmuiY 
SoYJVSpf7ej6zaYcMv3WwdxDFl8REwOhNImk2X1l1d2JXq6BR53TSFkyT7 
PwVLuq-1GwtGHlQOeg7gDT6xWOJqHDPn H-puOQsmthc9Zg0ojmJfqqgFvE 
TUxLAF-KjcBTS5dNy6egwkYtOt8EIHK-oESKYtZRaa8427MOZ7UGxGIMv 
EmxrGCPeJal4slv2-gaqKOkEThkaSqdYwOFkOZF", 

"Lag": "ER7MWJZlFBI NKvn7ZblLw" 


Figure 160: General JWE JSON Serialization 
The resulting JWE object using the flattened JWE JSON Serialization: 


{ 

"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQi0il4MWIyMDk2NS04Mz 
MyLTOzZDktYTQ2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNIn 
o", 

"encrypted key": "CBI6oDw8MydIx1IBntf_lQcw2MmJKIQx", 

"iv": "OxOpmsDa8KnJc9Jo", 

"ciphertext": "AwliP-KmWgsZ37BvzCefNen6VTbRK3OMAATkvRkHOtP1b 
TdhtFJgJxeVmJkLD61A1lhnWGetdg11c9ADsnWgL56NyxwSY jU1ZEHCGk 
d3EkUOvjHi9gTl1b90qSYFfeFOLwkcTtjbYKCsiNJOkcIplyeM0O3OmuiY 
SoYJVSpf7ej6zaYcMv3WwdxDFl8REwOhNImk2X1ld2JXq6BR53TSFkyT7 
PwVLuq-1GwtGHlQeg7gDT6xWOJqHDPn H-puOQsmthc9Zg0ojmJfqqgFvE 
TUxLAF-KjcBTS5dNy6egwkYtOt8EIHK-oESKYtZRaa8Z27MOZ7UGxGIMv 
EmxrGCPeJal4slv2-gaqKOkEThkaSqdYwOFkOZF", 

"Lag": "ER7MWJZlFBI NKvn7ZblLw" 


Figure 161: Flattened JWE JSON Serialization 
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5.9. Compressed Content 
This example illustrates encrypting content that is first compressed. 
It reuses the AES symmetric key, key encryption algorithm, and 


content encryption algorithm from Section 5.8. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.9.1. Input Factors 
The following are supplied before beginning the encryption process: 


o Plaintext content; this example uses the content from Figure 72. 


o Recipient encryption key; this example uses the key from 
Figure 151. 


o Key encryption algorithm; this example uses "A128KW". 
o Content encryption algorithm; this example uses "A128GCM". 
o "zip" parameter of "DEF". 


5.9.2. Generated Factors 


The following are generated before encrypting: 


o Compressed Plaintext from the original Plaintext content; 
compressing Figure 72 using the DEFLATE [RFC1951] algorithm 
produces the compressed Plaintext from Figure 162. 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 163. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 164. 


bY BDcIwDEVX-QNUGQEOrIAA4pqlDokYxchxVvbEDGzIJbioOSJwc-f X HPjBu 
8KVFpVtAplVE1-wZo0YjNZ203C7R5v72pV5f£5X382VWjYOpqZKAyjziZOr2B7kQ 
PSy6oZIXUnDYbVKNA4jNXi2u0OyB7tlqSHTjmMODf9OgvrDzfTIOXnyORuUya4zI 
WG3vTOdirOv7BRHFYWq3klk1A gSDJqtcBF-GZxw8 


Figure 162: Compressed Plaintext, base64url-encoded 
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hC-MpLZSuwWv8sexS6ydfw 

Figure 163: Content Encryption Key, base64url-encoded 
p9pUq6XHYOjfEZIl 

Figure 164: Initialization Vector, base64url-encoded 

5.9.3. Encrypting the Key 
Performing the key encryption operation over the CEK (Figure 163) 
with the AES symmetric key (Figure 151) produces the following 
Encrypted Key: 
5vUT2WOtOxKWcekM IzVQOwkGgzlFDwPi 
Figure 165: Encrypted Key, base64url-encoded 


5.9.4.  Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 166, encoded to base64url [RFC4648] as Figure 167. 


"alg": "A128KW", 

"kid": "81b20965-8332-43d9-a468-82160ad9lac8", 
"enc": "A128GCM", 

" zip" : "DEF" 


Figure 166: JWE Protected Header JSON 


eyJhbGciOiJBMTIA4Sl1ciLCJraWQiOil4MWIyMDk2NS04MzMyLTOzZDktYTQ2OC 
04MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIARONNIiwiemlwIjoiREVGInO 


Figure 167: JWE Protected Header, baseó64url-encoded 
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Performing the content encryption operation over the compressed 
Plaintext (Figure 162, encoded as an octet string) with the 
following: 
o CEK (Figure 163); 
o Initialization Vector (Figure 164); and 
o JWE Protected Header (Figure 167) as authenticated data 
produces the following: 
o Ciphertext from Figure 168. 
o Authentication Tag from Figure 169. 
HbDtOsdailoYziSx25KEeTxmwnh8L8jKMFNc1k3zmMI6VB8hry57tDZ61jXyez 
SPtOfdLVfe6Jf5y5-JaCap JQBcb5opbmT60uWGml8blyiMQOmOn9J--XhhlYgO 
m-BHaqfDO5iTOWxPxFMUedx7WCy8mxgDHjO0aBMG6152PsM-w5E o2B3jDbrYBK 
hpYA7qi3AyijnCJ7BP9rr3U8kxExCpG3mK420TjOw 
Figure 168: Ciphertext, base64url-encoded 
VILuUwuIxaLVmh5X-T7kmA 
Figure 169: Authentication Tag, base64url-encoded 
5.9.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 167) 
o Encrypted Key (Figure 165) 
o Initialization Vector (Figure 164) 


o Ciphertext (Figure 168) 


o Authentication Tag (Figure 169) 
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The resulting JWE object using the JWE Compact Serialization: 


eyJhbGciOiJBMTIA4Sl1ciLCJraWQiOil4MWIyMDk2NS04MzMyLTOzZDktYTQ2OC 
04MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNIiwiemlwIjoiREVGInO 


5vUT2WOtOxKWcekM IzVQOwkGgzlFDwPi 

p9pUq6XHYOjfEZIl 
HbDtOsdailoYziSx25KEeTxmwnh8L8jKMFNc1k3zmMI6VB8hry57tDZ61jXyez 
SPtOfdLVfe6Jf5y5-JaCap JQBcb5opbmT60uWGml8blyiMQmOn9J--XhhlYgO 


m-BHaqfDO5iTOWxPxFMUedx7WCy8mxgDHjO0aBMG6152PsM-w5E o2B3jDbrYBK 
hpYA7qi3AyijnCJ7BP9rr3U8kxExCpG3mK420TjOw 


VILuUwulxaLVmh5X-T7kmA 
Figure 170: JWE Compact Serialization 


The resulting JWE object using the general JWE JSON Serialization: 


{ 


"recipients": [ 
{ 
"encrypted key": "5vUT2WOtOxKWcekM IzVQwkGgzlFDwPi" 
} 
l; 
"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQiOiI4MWIyMDk2NS04Mz 


MyLTOzZDktYTQ2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIARONNIi 
wiemlwIjoiREVGIn0", 

"iv": "p9pUq6XHYOjfEZIl", 

"ciphertext": "HbDtOsdailoYziSx25KEeTxmwnh8L83jKMFNc1k3zmMI6V 
B8hry57tDZ61jXyezSPtOfdLVfe6Jf5y5-JaCap JOBcbb5opbmT60uWG 
ml8blyiMQmOn9J--XhhlYgOm-BHaqfDO5iTOWxPxFMUedx7WCy8mxgDH 
jOaBMG6152PsM-w5E o2B3jDbrYBKhpYA7qi3AyijnCJ7BP9rr3U8kxE 
xXCpG3mK420TjOw", 

"tag": "VILuUwuIxaLVmh5X-T7kmA" 


Figure 171: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 


Sa L07 


"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQiOiI4MWIyMDk2NS04Mz 
MyLTOzZDktYTQ2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIARONNIi 
wiemlwIjoiREVGInO", 

"encrypted key": "5vUT2WOtOxKWcekM IzVQwkGgzlFDwPi", 

"iv": "p9pUq6XHYOjfEZIl", 

"ciphertext": "HbDtOsdailoYziSx25KEeTxmwnh8L8 jJKMFNc1k3zmMI6V 
B8hry57tDZ61jXyezSPtOfdLVfe6Jf5y5-JaCap JOBcbb5opbmT60uWG 
ml8blyiMQOmOn9J--XhhlYgO0m-BHaqfDO5iTOWxPxFMUedx7WCy8mxgDH 
jO0aBMG6152PsM-w5E o2B3jDbrYBKhpYA7qi3AyijnCJ7BP9rr3U8kxE 
xXCpG3mK420TjOw", 

"tag": "VILuUwuIxaLVmh5X-T7kmA" 


Figure 172: Flattened JWE JSON Serialization 


Including Additional Authenticated Data 


This example illustrates encrypting content that includes additional 
authenticated data. As this example includes an additional top-level 
property not present in the JWE Compact Serialization, only the 
flattened JWE JSON Serialization and general JWE JSON Serialization 
are possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 


DO 


1. Input Factors 


The following are supplied before beginning the encryption process: 


o 


o 


Plaintext content; this example uses the content from Figure 72. 


Recipient encryption key; this example uses the key from 
Figure 151. 


Key encryption algorithm; this example uses "A128KW". 
Content encryption algorithm; this example uses "A128GCM". 


Additional Authenticated Data; this example uses a vCard [RFC7095] 
from Figure 173, serialized to UTF-8. 
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"vcard", 
[ 
L "version (Lk, "text", '"4:0" J, 
[ "fn", {}, "text", "Meriadoc Brandybuck" ], 
|, "n5 sed 
"text", [ 
"Brandybuck", "Meriadoc", "Mr.", "" 
] 
l, 
[ "bday", {}, "text", "TA 2982" ], 
[ "gender", t "text", "M" ] 


Figure 173: Additional Authenticated Data, in JSON Format 
NOTE: Whitespace between JSON values was added for readability. 
5.10.2. Generated Factors 
The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 174. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 175. 


o Encoded Additional Authenticated Data (AAD); this example uses the 
Additional Authenticated Data from Figure 173, encoded to 
base64url [RFC4648] as Figure 176. 

75ml1ALsYvl10pZTKPWrsqdg 

Figure 174: Content Encryption Key, base64url-encoded 

veCx9ece2orS7c N 

Figure 175: Initialization Vector, base64url-encoded 

WyJ2Y2FyZCIsWlsidmVyc2lvbilse30sInRleHQiLCIOLjAiXSxbImZulix7fS 

widGV4dCIsIkllcmlhZG9jIEJyYW5keWJ1Y2siXSxbIm4iLHt9LCJOZXhOIixb 

IkJyYW5keWJl1Y2siLCJNZXJpYWRvYyISIklyLilsIiJdXSxbImJkYXkiLHt9LC 

JOZXhOIiwiVEEgMjk4MiJdLFsiZ2VuZGVylix7fSwidGVA4dCIsIkOiXV1ld 


Figure 176: Additional Authenticated Data, base64url-encoded 
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5.10.3. Encrypting the Key 
Performing the key encryption operation over the CEK (Figure 174) 
with the AES symmetric key (Figure 151) produces the following 
Encrypted Key: 
4YiiQO ZzH76TalkJmYfRFgOV9MIpnx4X 
Figure 177: Encrypted Key, base64url-encoded 
5.10.4.  Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 178, encoded to base64url [RFC4648] as Figure 179. 


"alg": "A128KW", 
"kid": "815b20965-8332-43d9-a468-82160ad91ac8", 
"enc": "A128GCM" 


Figure 178: JWE Protected Header JSON 


eyJhbGciOiJBMTIA4S1ciLCJraWQiOil4MWIyMDk2NS04MzMyLTOzZDktYTQ2OC 
04MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNInO 


Figure 179: JWE Protected Header, baseó64url-encoded 


Performing the content encryption operation over the Plaintext with 
the following: 


o CEK (Figure 174); 


o Initialization Vector (Figure 175); and 

o Concatenation of the JWE Protected Header (Figure 179), ".", and 
the base64url [RFC4648] encoding of Figure 173 as authenticated 
data 


produces the following: 
o Ciphertext from Figure 180. 


o Authentication Tag from Figure 181. 
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Z 3cbrOk3bVM6N3oSNmHz7Lyf3iPppGf3Pj1l7wNZqteJOUi8p74SchOP8xygM1 
oFRWCNzela6s6BcEtp8qEFiqTUEyiNkOWDNOoF14T A4NFqF-p2Mx8zkbKxI7oPK 
8KNarFbyxIDvICNqBLba-v3uzXBdB89fzOI-Lv4PjOFAQGHrgvl1rjXAmKbgkft 
9cBAWeyZw8MldbBhc-V KWZslrsLNygon JJWd ek6LOn5NRehvApqf9ZrxB4a 
q3FXBxOxCys35PhCdaggy2kfUfl2OkwKnWUbgXVD1C6HxLIlqHhCwXDG59weHr 
RDOeHyMROB1joV3X bUTJDnKBFOod7nLz-cj48JMx3SnCZTpbOAkFV 
Figure 180: Ciphertext, base64url-encoded 
vOaH Rajnpy 3hOtqvZHRA 
Figure 181: Authentication Tag, base64url-encoded 
5.10.5. Output Results 
The following compose the resulting JWE object: 
o JWE Protected Header (Figure 179) 
o Encrypted Key (Figure 177) 
o Initialization Vector (Figure 175) 
o Additional Authenticated Data (Figure 176) 
o Ciphertext (Figure 180) 


o Authentication Tag (Figure 181) 


The JWE Compact Serialization is not presented because it does not 
support this use case. 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 
"encrypted key": "4YiiQ_ ZzH76TalkJmYfRFgOV9MIpnx4X" 
) 


l; 
"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQiOiI4MWIyMDk2NS04Mz 


MyLTOzZDktYTQ2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNIn 
Qm, 

"iv": "veCx9ece2orS7oc N", 

"aad": "WyJ2Y2FyZCIsWlsidmVyc2lvbilse30sInRleHOiLCIOLjAiXSxb 
ImzZulix7fSwidGVA4AdCIsIkllcmlhZG9jIEJyYW5keWJ1Y2siXSxbIm4i 
LHt9LCJOZXhOIixbIkJyYW5keWJ1Y2siLCJNZXJpYWRvYyISIklyLils 
IiJdXSxbImJkYXkiLHt9LCJOZXhOIiwiVEEgMjk4MiJdLFsiZ2VuZGVy 
Iix7fSwidGVAdCIsIkOiXV1d", 

"ciphertext": "Z 3cbrOk3bVM6N3oSNmHz7Lyf3iPppGf3Pj1l7wNZqteJO 
Ui8p74SchOP8xygMl1o0FRWCNzela6s6BcEtp8qEFiqTUEyiNkOWDNOoF14 
T ANFqF-p2MXx8zkbKxI7oPK8KNarFbyxIDvICNqBLba-v3uzXBdB89fz 
OI-Lv4PjOFAQGHrgvlrjXAmKbgkft9cBAWeyZw8MldbBhc-V KWZslrs 
LNygon JJWd ek6LOn5NRehvApqf9ZrxB4aq3FXBxOxCys35PhCdaggy 
2kfUf120kwKnWUbgXVD1C6HxLI1gqHhCwXDG5 9weHrRDQeHyMRoB130V3 
X bUTJDnKBFOod7nLz-cj48JMx3SnCZTpbOAKkFV", 

"tag": "vOaH Rajnpy 3hOtqvZHRA" 


Figure 182: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 


Died. 


"protected": "eyJhbGciOiJBMTI4S1ciLCJraWQi0il4MWIyMDk2NS04Mz 
MyLTOzZDktYTQO2OCOA4MjE2MGFkOTFhYzgiLCJlbmMiOiJBMTIA4RONNIn 
0", 

"encrypted key": "A4YiiQ ZzH76TalkJmYfRFgOV9MIpnx4X", 

"aad": "WyJ2Y2FyZCIsWl1sidmVyc2lvbilse30sInRleHOiLCIOLjAiXSxb 
ImzZulix7fSwidGVA4dCIsIkllcmlhZ2G9jIEJyYW5keWJ1Y2siXSxbIm4i 
LHt9LCJOZXhOIixbIkJyYW5keWJ1Y2siLCJNZXJpYWRvYyISsIklyLils 
IiJdXSxbImJkYXkiLHt9LCJOZXhOIiwiVEEgMjk4MiJdLFsiZ2VuZGVy 
Iix7fSwidGVAdCIsIkOiXV1d", 

"iv": "veCx9ece2orS7oc N", 

"ciphertext": "Z 3cbrOk3bVM6N3oSNmHz7Lyf3iPppGf3Pj1l17wNZqteJO 
Ui8p74SchOP8xygMl1o0FRWCNzela6s6BcEtp8qEFiqTUEyiNkOWDNOoF14 
T ANFqF-p2MX8zkbKxIT7oPK8KNarFbyxIDvICNqBLba-v3uzXBdB89fz 
OI-Lv4PjOFAQGHrgvlrjXAmKbgkft9cBAWeyZw8MldbBhc-V KWZslrs 
LNygon JJWd ek6LOn5NRehvApqf9ZrxB4aq3FXBxOxCys35PhCdaggy 
2kfUf120kwKnWUbgXVD1C6HxLI1gqHhCwXDG5 9weHrRDQeHyMRoB13o0V3 
X bUTJDnKBFOod7nLz-cj48JMx3SnCZTpbOAKkFV", 

"tag": "vOaH Rajnpy 3hOtqvZHRA" 


Figure 183: Flattened JWE JSON Serialization 


Protecting Specific Header Fields 


This example illustrates encrypting content where only certain JOSE 
Header Parameters are protected. As this example includes parameters 
in the JWE Shared Unprotected Header, only the general JWE JSON 
Serialization and flattened JWE JSON Serialization are possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 


Sell. 


1. Input Factors 


The following are supplied before beginning the encryption process: 


o 


o 


Plaintext content; this example uses the content from Figure 72. 


Recipient encryption key; this example uses the key from 
Figure 151. 


Key encryption algorithm; this example uses "A128KW". 


Content encryption algorithm; this example uses "A128GCM". 
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5.11.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 184. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 185. 


WDgEptBmQs 9ouUVArz6x6g 


Figure 184: Content Encryption Key, base64url-encoded 


WgEJsDS9bkoXO3nR 


Figure 185: Initialization Vector, base64url-encoded 


5.11.3. Encrypting the Key 


Performing the key encryption operation over the CEK (Figure 184) 


with the AES symmetric key (Figure 151) produces the following 
Encrypted Key: 


jJIcM9J-hbx3wnqghf5FlkEYosOsHsFOH 


Figure 186: Encrypted Key, base64url-encoded 


5.11.4.  Encrypting the Content 
The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 187, encoded to base64url [RFC4648] as Figure 188. 


"enc": "A128GCM" 


Figure 187: JWE Protected Header JSON 


eyJlbmMi0iJBMTI4RONNINO 


Figure 188: JWE Protected Header, base64url-encoded 
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Performing the content encryption operation over the Plaintext with 
the following: 

o CEK (Figure 184); 
o Initialization Vector (Figure 185); and 
o JWE Protected Header (Figure 188) as authenticated data 
produces the following: 
o Ciphertext from Figure 189. 
o Authentication Tag from Figure 190. 
lIbCyRmRJxnB2yLQOTqjCDKV3H300ssOw3uD9DPSsqLL2DM3swKkjOwQyZtWsFL 
YMj5YeLht StAn21tHmQJuuNt64T8D4t6C7kC9OCCJ1IHAOlUv4MyOt80MOoPb8 
fZYbNKqplzYJglL58g9g8N2v460gyG637d6uuKPwhAnTGm zWhqc srOvgiLkzyF 
XPq1hBAURbCc3-8BqeRb48iR1- 5g5UjWVD3lgiLCN P7AW8mIiFvUNXBPJK3nO 
WL4teUPS8yHLbWeL8301U4UAgL48x-8dDkH23JykibVSQju-f7e-1xreHWXzWL 
HslNqBbreOdEwK3HX xMOLjUz77Krppgegoutpf5qaKg3l- xMINmf 
Figure 189: Ciphertext, base64url-encoded 

fNYLqpUe84KD451vDiaBAQ 

Figure 190: Authentication Tag, base64url-encoded 

5.11.5. Output Results 
The following compose the resulting JWE object: 

o JWE Shared Unprotected Header (Figure 191) 

o JWE Protected Header (Figure 188) 
o Encrypted Key (Figure 186) 

o Initialization Vector (Figure 185) 
o Ciphertext (Figure 189) 


o Authentication Tag (Figure 190) 


The JWE Compact Serialization is not presented because it does not 
support this use case. 
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The following JWE Shared Unprotected Header is generated before 
assembling the output results: 


{ 
"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad91ac8" 


Figure 191: JWE Shared Unprotected Header JSON 
The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 
"encrypted key": "jJIcM9J-hbx3wnghf5FlkEYosOsHsFOH" 
} 
l; 
"unprotected": { 
"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad91lac8" 
), 


"protected": "eyJlbmMiOiJBMTIA4RONNInO", 
"iv": "WgEJSDS9bkoXOQ3nR", 
"ciphertext": "IIbCyRmRJxnB2yLOOTqjCDKV3H300ssOw3uD9DPsqLL2D 


M3swKkjOwOyZtWsFLYMj5YeLht StAn21tHmQJuuNt64T8D4t6C7kC9O 
CCJ1IHAOlUv4AMyOt80MoPb8fZYbNKqplzYJglL58g9g8N2v460gyG637d6 
uuKPwhAnTGm zWhqc srOvgiLkzyFXPq1hBAURbc3-8BqeRb48iR1- 5 
g5UjWVD3lgiLCN P7AW8mIiFvUNXBPJK3nOWLA4teUPS8yHLbWeL8301U 
4UAgL48x-8dDkH23JykibVSQju-f7e-1xreHWXzWLHs1NqBbreOdEwK3 
HX xMOLjUz77Krppgegoutpf5qaKg3l- xMINmf", 

"tag": "fNYLqpUe84KD451vDiaBAQ" 


Figure 192: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 


"protected": "eyJlbmMiOiJBMTIA4RONNInO", 
"unprotected": { 
"alg": "A128KW", 


"kid": "81b20965-8332-43d9-a468-82160ad91ac8" 

}, 

"encrypted key": "jJIcM9J-hbx3wnghf5FlkEYosOsHSFOH", 

"iv": "WgEJsDS9%bkoXQ3nR", 

"ciphertext": "IIbCyRmRJxnB2yLOOTqjCDKV3H300ssOw3uD9DPsqLL2D 
M3swKkjOwOyZtWsFLYMj5YeLht StAn21tHmQJuuNt64T8D4t6C7kC9O 
CCJ1IHAOlUv4AMyOt80MoPb8fZYbNKqplzYJglL58g9g8N2v460gyG637d6 
uuKPwhAnTGm zWhqc srOvgiLkzyFXPq1hBAURbc3-8BqeRb48iR1- 5 
g5UjWVD3lgiLCN P7AW8mIiFvUNXBPJK3nOWLA4teUPS8yHLbWeL8301U 
4UAgL48x-8dDkH23JykibVSQju-f7e-1xreHWXzWLHs1NqBbreOdEwK3 
HX xMOLjUz77Krppgegoutpf5qaKg3l- xMINmf", 

"tag": "fNYLqpUe84KD451vDiaBAQ" 


Figure 193: Flattened JWE JSON Serialization 
5.12. Protecting Content Only 
This example illustrates encrypting content where none of the JOSE 
header parameters are protected. As this example includes parameters 


only in the JWE Shared Unprotected Header, only the flattened JWE 
JSON Serialization and general JWE JSON Serialization are possible. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.12.1. Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 72. 


o Recipient encryption key; this example uses the key from 
Figure 151. 


o Key encryption algorithm; this example uses "A128KW". 


o Content encryption algorithm; this example uses "A128GCM". 
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5.12.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key; this example the 
key from Figure 194. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 195. 


KBooAF1300PV3vkcZ1XnzQ 
Figure 194: Content Encryption Key, base64url-encoded 
YihBoVOGsR117jCD 
Figure 195: Initialization Vector, base64url-encoded 
5.12.3.  Encrypting the Key 
Performing the key encryption operation over the CEK (Figure 194) 
with the AES symmetric key (Figure 151) produces the following 
Encrypted Key: 
244YHfO W7RMpOW81UjOrZcq5LSyqiPv 
Figure 196: Encrypted Key, baseó64url-encoded 


5.12.4.  Encrypting the Content 


Performing the content encryption operation over the Plaintext 
(Figure 72) using the following: 


o CEK (Figure 194); 

o Initialization Vector (Figure 195); and 
o Empty string as authenticated data 
produces the following: 

o Ciphertext from Figure 197. 


o Authentication Tag from Figure 198. 
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qtPIMMaOBRgASL10dNQhOa7Gqrk7Eallvwht 7R4TTlugq-arsVCPaleFwOfzrss 
60EUWbBt xEasEOvC6r7sphyVziMCVJEURJyoAHFSP3eqQPb4Ic1SDSqyXjw_L3 
svybhHYUGyQuTmUQED jg jJ£BOifwHIsDsRPeBz1lNomqeifVPQ5SGTCWFo5k_MNI 
QURR2WjOAHC2k7JZfu2iWjUHLFS8ExFZLZ4nlmsvJu mvifMYiikfNfsZAudISO 
a6073yPZtLO04k 1FI7WDfrb2w7OqKLWDXzlpcxohPVOLOWpA3mFNRKdY-bQz42Z 
4KX9l1fzlcne31N4-8BKmojpw-OdQjKdLOGkC445Fb K1tlDOXw2sBF 


Figure 197: Ciphertext, base64url-encoded 
e2m0OVm7JvjK2VpCKXS-kyg 
Figure 198: Authentication Tag, base64url-encoded 


5.12.5. Output Results 


The JWE Compact Serialization is not presented because it does not 
support this use case. 


The following JWE Shared Unprotected Header is generated before 
assembling the output results: 


{ 


"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad9lac8", 
"enc": "A128GCM" 


Figure 199: JWE Shared Unprotected Header JSON 
The following compose the resulting JWE object: 
o JWE Shared Unprotected Header (Figure 199) 
o Encrypted Key (Figure 196) 
o Initialization Vector (Figure 195) 
o Ciphertext (Figure 197) 


o Authentication Tag (Figure 198) 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 

"recipients": [ 

{ 
"encrypted key": "244YHfO W7RMpOW81UjOrZcq5LSyqiPv" 

) 

l; 

"unprotected": { 
"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad91ac8", 
"enc": "A128GCM" 

}, 

"iv": "YihBoVOGsR1173CD", 

"ciphertext": "qtPIMMaOBRgASL10dNOhOa7Gqrk7Eallvwht7RATTluq- 
arsVCPaleFwQfzrSS60EUWbBtxEasEOvC6r7sphyVziMCVJEuRJyoAHF 
SP3eqQPb4Ic1SDSqyXjw L3svybhHYUGyQuTmUQEDjgjJfBOifwHIsDs 
RPeBzlNomqeifVPq5GTCWFo5k MNIQURR2WjOAHC2k7JZfu2iWjUHLF8 
ExFZLZ4nlmsvJu mvifMYiikfNfsZAudISOa6073yPZtLO4Ak 1FI7WDf 
rb2w7OqKLWDXzlpcxohPVOLOwpA3mFNRKdY-bOQzA4ZAKX91fzlcne31NA4 
-8BKmojpw-OdQjKdLOGkC445Fb, KltlDQXw2sBF", 

"tag": "e2m0Vm7Jv3jK2VpCKXS-kyg" 


Figure 200: General JWE JSON Serialization 
The resulting JWE object using the flattened JWE JSON Serialization: 


1 
"unprotected": { 
"alg": "A128KW", 
"kid": "81b20965-8332-43d9-a468-82160ad91ac8", 
"enc": "A128GCM" 

}, 

"encrypted key": "244YHfO W7RMpOW81UjOrZcq5LSyqiPv", 

"iv": "YihBoVOGSR117jCD", 

"ciphertext": "qtPIMMaOBRgASL10dNOhOa7Gqrk7Eallvwht7RATTluq- 
arsVCPaleFwQfzrSS60EUWbBtxEasEOvC6r7sphyVziMCVJEuRJyoAHF 
SP3eqOQPb4Ic1SDSqyXjw L3svybhHYUGyQuTmUQEDjgjJfBOifwHIsDs 
RPeBzlNomqeifVPq5GTCWFo5k MNIQURR2WjOAHC2k7JZfu2iWjUHLF8 
ExFZLZ4nlmsvJu mvifMYiikfNfsZAudISOa6073yPZtLO4k 1FIT7WDf 
rb2w7OqKLWDXzlpcxohPVOLOwpA3mFNRKdY-bOQzA4ZAKX91fzlcne31N4 
-8BKmojpw-OdQjKdLOGkC445Fb, KltlDQXw2sBF", 

"tag": "e2m0OVm7JvjK2VpCKXS-kyg" 


Figure 201: Flattened JWE JSON Serialization 
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5.13. Encrypting to Multiple Recipients 
This example illustrates encryption content for multiple recipients. 
As this example has multiple recipients, only the general JWE JSON 
Serialization is possible. 
Note that RSAES-PKCS1-v1_5 uses random data to generate the 
ciphertext; it might not be possible to exactly replicate the results 


in this section. 


Note that whitespace is added for readability as described in 
Section 1.1. 


5.13.1. Input Factors 

The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the Plaintext from Figure 72. 
o Recipient keys; this example uses the following: 

* The RSA public key from Figure 73 for the first recipient. 

* The EC public key from Figure 108 for the second recipient. 

* The AES symmetric key from Figure 138 for the third recipient. 
o Key encryption algorithms; this example uses the following: 

* "RSA1 5" for the first recipient. 

* "ECDH-ES+A256KW" for the second recipient. 

*  "A256GCMKW" for the third recipient. 
o Content encryption algorithm; this example uses "A128CBC-HS256". 


5.13.2. Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 202. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 203. 
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zXayeJ4gvm8NJr3IUInyokTUO-LbONKEhe zWlYbdpO 

Figure 202: Content Encryption Key, base64url-encoded 
VgEIHY20EnzUtZF12RpBlg 

Figure 203: Initialization Vector, base64url-encoded 

5.13.3. Encrypting the Key to the First Recipient 

Performing the "RSA1_5" key encryption operation over the CEK 
(Figure 202) with the first recipient's RSA key (Figure 73) produces 
the following Encrypted Key: 
dYOD28kabO0Vvf4ODgxVAJXgHcSZICSOp8M51zjwj4w6Y5GAXJOSNNIBiqyvUUA 
OcpL7S7-cFe7Pio7gV QO06WmCSa-vhW6me4bWrBf7cHwEQJdXihidAYWVajJIla 
KMXMvFRMV6iDI1IRr076DFthg2 AVO tSiV6xSEIFqtixnYPpmP91tc5WJDOGb-w 
qjw0O-b-Si1laS110VbuP78dQ7Fa0zAVzzjHX-xvyM2wxj otxr9clNi1LnZMbeYS 
rRicJK5xodvWgkpIdkMHo4LvdhRRvzoKzlic89jFWPlnBq V4n5trGuExtp -d 
bHcGlihqc wGgho9fLMK8JOArYLCMDNQ 


Figure 204: Recipient #1 Encrypted Key, base64url-encoded 


The following is generated after encrypting the CEK for the first 
recipient: 


o Recipient JWE Unprotected Header from Figure 205. 


"alg" : "RSA1 5 n 
"kid": "frodo.baggins@hobbiton.example" 


Figure 205: Recipient #1 JWE Per-Recipient Unprotected Header JSON 
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The following is the assembled first recipient JSON: 


{ 
"encrypted key": "dYOD28kab0Vvf40DgxVAJXgHcSZICSOp8M51z jw i4w 


6Y5G4XJOSNNIBiqyvUUAOcpL7S7-cFe7Pio7gV_006WmCSa-vhW6me4b 
WrBf7cHwEQJdXihidAYWVajJlaKMXMvFRMV6iD1Rr076DFthg2_AVO_t 
SiVé6xSEIFqt1xnYPpmP 91tcSwJDOGb-wqjw0-b-S11aS110VbuP78dQ7 
Fa0zAVzzjHX-xvyM2wxj otxr9clN1LnZMbeYSrRicJK5xodvWgkpIdk 
MHo4LvdhRRvzoKzlic89jFWPlnBq V4nb5trGuExtp -dbHcGlihqc wG 
gho9fLMK8JOArYLcMDNQ", 


"header": { 
"alg": URSAT 5", 
"kid": "frodo.baggins@hobbiton.example" 


Figure 206: Recipient 41 JSON 
5.13.4.  Encrypting the Key to the Second Recipient 


The following is generated before encrypting the CEK for the second 
recipient: 


o Ephemeral EC private key on the same curve as the EC public key; 
this example uses the private key from Figure 207. 


" kty" : "EC " $ 

"cry": "p-384", 

"x": "Uzdvk3pi5wKCRclizp5 r00jeqT-168i8g2b8mva8diRhsEZ2xAn2Dt 
MRb25Ma2CX", 

"y": "VDrRyFJh-KwdlEjAgmj5Eo-CTHAZ53MC7PjjpLioy3ylEjIl1pOMbw9 
1£zZ84pbfm", 

"d": "IDKHfTv-PiifVw2VBHM ZiVcwOMxkOyANS lQHJcrDxVY3jhVCvZPw 
MxJKIE793C" 


Figure 207: Ephemeral Private Key for Recipient #2, in JWK Format 
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Performing the "ECDH-ES+A256KW" key encryption operation over the CEK 
(Figure 202) with the following: 

o Static Elliptic Curve public key (Figure 108). 
o Ephemeral Elliptic Curve private key (Figure 207). 
produces the following Encrypted Key: 


ExInTOio9BqBMYF6-maw5tZlgoZXThD1zWKsHixJuw elY4gSSId w 


Figure 208: Recipient #2 Encrypted Key, base64url-encoded 


The following is generated after encrypting the CEK for the second 
recipient: 


o Recipient JWE Unprotected Header from Figure 209. 


"alg": "ECDH-ES+A256KW", 
"kid": "peregrin.took@tuckborough.example", 
"epk" : { 
"kty" : EC" 
TOPY *p-384", 
"x": "Uzdvk3pi5wKCRclizp5 r00jeqT-168i8g2b8mva8diRhsE2xAn2 
DtMRb25Ma2CX", 
"y": "VDrRyFJh-KwdlEjAgmj5Eo-CTHAZ53MC7PjjpLioy3ylEjIl1pOMb 
w91fzZ84pbfm" 


Figure 209: Recipient 42 JWE Per-Recipient Unprotected Header JSON 
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The following is the assembled second recipient JSON: 


{ 


"encrypted key": "ExInTOio9%BqBMYF6-maw5tZl1lgoZXThD1zWKsHixJuw 
.elY4gSSId w", 
"header": { 
"alg": "ECDH-ES+A256KW", 
"kid": "peregrin.took@tuckborough.example", 
"epk" : { 
key : "ECT; 
"cry": "p-384", 
"x": "Uzdvk3pi5wKCRclizp5 r00jeqT-168i8g2b8mva8diRhsE2xA 
n2DtMRb25Ma2CX", 
"y": "VDrRyFJh-KwdlEjAgmj5Eo-CTHAZ53MC7PjjpLioy3ylEjIlpO 
Mbw91fzZ284pbfm" 


Figure 210: Recipient 42 JSON 
5.13.5.  Encrypting the Key to the Third Recipient 


The following is generated before encrypting the CEK for the third 
recipient: 


o Initialization Vector for key wrapping; this example uses the 
Initialization Vector from Figure 211. 


AvpeoPZ9Ncn9mkBn 


Figure 211: Recipient 42 Initialization Vector for Key Wrapping, 
base64url-encoded 


Performing the "A256GCMKW" key encryption operation over the CEK 
(Figure 202) with the following: 


o AES symmetric key (Figure 138); and 
o Initialization Vector (Figure 211) 
produces the following: 

o Encrypted Key from Figure 212. 


o Authentication Tag from Figure 213. 
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a7CclAejo_7JSuPB8zeagxXRam8dwCfmkt 9-WyTpS1E 
Figure 212: Recipient #3 Encrypted Key, base64url-encoded 
59Nqh1L1YtVIhfD3pgRGvw 


Figure 213: Recipient #3 Authentication Tag from Key Wrapping, 
base64url-encoded 


The following is generated after encrypting the CEK for the third 
recipient: 


o Recipient JWE Unprotected Header; this example uses the header 
from Figure 214. 


"alg": "A256GCMKW", 

"kid": "18ec08el-bfa9-4d95-b205-2b4dd1d4321d", 
"tag": "59NghlLlYtVIhfD3pgRGvw", 

"iv": "AvpeoPZ9Ncn9mkBn" 


Figure 214: Recipient #3 JWE Per-Recipient Unprotected Header JSON 
The following is the assembled third recipient JSON: 


{ 


"encrypted key": "a7CclAejo "7JSuPB8zeagxXRam8dwCfmkt9-WyTpS1 
E", 
"header": { 
"alg": "A256GCMKW", 
"kid": "18ec08el-bfa9-4d95-b205-2b4dd1d4321d", 
"tag": "59NghlLlYtVIhfD3pgRGvw", 
"iv": "AvpeoPZ9Ncn9mkBn" 


Figure 215: Recipient 43 JSON 


5.13.6.  Encrypting the Content 


The following is generated before encrypting the content: 


o JWE Protected Header; this example uses the header from 
Figure 216, encoded to base64url [RFC4648] as Figure 217. 


Miller Informational [Page 106] 


RFC 7520 JOSE Cookbook May 2015 


"enc": "A128CBC-HS256" 


Figure 216: JWE Protected Header JSON 
eyJlbmMiOiJBMTIA4Q0JDLURhTMjU2InO0 
Figure 217: JWE Protected Header, baseó64url-encoded 


Performing the content encryption operation over the Plaintext 
(Figure 72) with the following: 


o CEK (Figure 202), 
o Initialization Vector (Figure 203), and 
o JWE Protected Header (Figure 217) as the authenticated data 
produces the following: 
o Ciphertext from Figure 218. 
o Authentication Tag from Figure 219. 
ajm2Q-OpPXCr7-MHXicknbllsxLdXxK yLdsOKuhJzfWK04SjdxQeSw2L9mu3a 
.k1C55kCQ 3xlkcVKC5yr  Is48VOOoK0k63 ORM9tBURMFqLByJ8vOYOXOOJW4 
VUHJLmGhF-tVOWB7Kz8mr8zeE7txFOMSaP6ga7-siYxStR7 GO7Thdljh-zGTO 
wxM5g-VRORtqOK6AXpLlwEqRp7pkt2zRMOZAXqSpelO6FJ7FHLDyEFnD-zDIZu 
kLpCbzhzMDLLw2-8114FQrgi-iEuzHgIJFIJn2wh9TjOcg kOZy9BqMRZbmYXM 
Y9YOjorZ P JYG3ARAIF3OjDNqpdYe-K 50Q5crGJSDNyij ygEiltR5jssQVH2 
ofDOdLChtazE 

Figure 218: Ciphertext, base64url-encoded 


BESYyFN7TO9KY7i8zKs5 g 


Figure 219: Authentication Tag, base64url-encoded 


Miller Informational [Page 107] 


RFC 7520 JOSE Cookbook May 2015 


The following is generated after encrypting the Plaintext: 
o JWE Shared Unprotected Header parameters; this example uses the 
header from Figure 220. 


"cty": "text/plain" 


Figure 220: JWE Shared Unprotected Header JSON 
5.13.7. Output Results 
The following compose the resulting JWE object: 
o Recipient #1 JSON (Figure 206) 
o Recipient #2 JSON (Figure 210) 
o Recipient #3 JSON (Figure 215) 
o Initialization Vector (Figure 203) 
o Ciphertext (Figure 218) 
o Authentication Tag (Figure 219) 
The JWE Compact Serialization is not presented because it does not 


support this use case; the flattened JWE JSON Serialization is not 
presented because there is more than one recipient. 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 

"encrypted key": "dYOD28kab0Vvf40DgxVAJXgHcSZICSOp8M51z 4 
wj4w6Y5GAXJOSNNIBiqyvUUAOCpL787-cFe7Pio7gV Q06WmCSa- 
vhW6me4bWrBf7cHwEQJdXihidAYWVajJIaKMXMvFRMV6iDlRr076 
DFthg2 AVO tSiV6xSEIFqtixnYPpmP91tc5WJDOGb-wqjw0-b-S 
1laS110VbuP78dQ7Fa0zAVzzjHX-xvyM2wxj otxr9clN1LnZMbe 
YSrRicJK5xodvWgkpIdkMHo4LvdhRRvzoKzlic89jFWPlnBq V4n 
5trGuExtp -dbHcGlihqc wGgho9fLMK8JOArYLCMDNQ", 


"header": { 
"alg" : "RSA1 5 "no 
"kid": "frodo.baggins@hobbiton.example" 
} 
}, 
{ 
"encrypted key": "ExInTOio9BqBMYF6-maw5tZlgoZXThDl1zWKsHi 
xJuw elY4gSSId w", 
"header": { 
"alg": "ECDH-ES+A256KW", 
"kid": "peregrin.took@tuckborough.example", 
"epk" : { 
" kty" : "EC " > 
"ory"; "P=384", 


"x": "Uzdvk3pi5wKCRclizp5 r00jeqT-168i8g2b8mva8diRhs 
E2xAn2DtMRb25Ma2CX", 


"y": "VDrRyFJh-KwdlEjAgmj5Eo-CTHAZ53MC7PjjpLioy3ylEj 
T1pOMbw91fzZ84pbfm" 
} 
} 
), 
{ 
"encrypted key": "a7CclAejo_7JSuPB8zeagxXRam8dwCfmkt 9-Wy 
TpS1E", 
"header": { 
"alg": "A256GCMKW", 
"kid": "18ec08el-bfa9-4d95-p205-2b4dd1d4321d", 
"tag": "59NghlLlYtVIhfD3pgRGvw", 
"iv": "AvpeoPZ9Ncn9mkBn" 
} 
} 
l; 
"unprotected": { 
"cty": "text/plain" 
), 
"protected": "eyJlbmMiOiJBMTIA4QO0JDLUhTMjU2InO", 
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"iv": "VgEIHY20EnzUtZF12RpBlg", 

"ciphertext": "ajm2Q-OpPXCr7-MHXicknbllsxLdXxK yLdsOKuhJzfWK 
04S5jdxQeSw2L9mu3a k1C55kCQ 3xlkcVKC5yr  Is48VOoK0k63 ORM 
9tBURMFqLByJ8vOYOXOOoJWAVUHJLmGhF-tVOWB7Kz8mr8zeE7txFOMSa 
P6ga7-siYxStR7 G0O7Thd1ljh-zGTOwxM5g-VRORtqOK6AXpLlwEqRp7p 
kt2zRMOZAXqSpelO6FJ7FHLDyEFnD-zDIZukLpCbzhzMDLLw2-81I14FQ 
rgi-iEuzHgIJFIJn2wh9TjO0cg kOZy9BqMRZbmYXMY9YQjorZ P JYG3 
ARAIF3OjDNqpdYe-K 505crGJSDNyij ygEiItR5jssQVH2ofDOdLCht 
azE", 

"tag": "BESYyFN7TO9KY7i8zKs5_g" 


Figure 221: General JWE JSON Serialization 
6. Nesting Signatures and Encryption 
This example illustrates nesting a JSON Web Signature (JWS) structure 
within a JSON Web Encryption (JWE) structure. The signature uses the 
"PS256" (RSASSA-PSS) algorithm; the encryption uses the "RSA-OAEP" 


(RSAES-OAEP) key encryption algorithm and the "A128GCM" (AES-GCM) 
content encryption algorithm. 


Note that RSASSA-PSS uses random data to generate the signature, and 
RSAES-OAEP uses random data to generate the ciphertext; it might not 


be possible to exactly replicate the results in this section. 


Note that whitespace is added for readability as described in 
Section 1.1. 


6.1. Signing Input Factors 

The following are supplied before beginning the signing operation: 

o Payload content; this example uses the JSON Web Token [JWT] 
content from Figure 222, encoded as base64url [RFC4648] to produce 
Figure 223. 

o RSA private key; this example uses the key from Figure 224. 

o "alg" parameter of "PS256". 

"iss": "hobbiton.example", 


"exp": 1300819380, 
"http://example.com/is root": true 


Figure 222: Payload Content, in JSON Format 
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eyJpc3MiOiJob2JiaXRvbi5leGFtcGxlliwiZXhwIjoxMzAwODE5MzgwLCJodH 
RwOi8vZXhhbXBsZ5S5jb20vaXNfcm9vdCI6dHJ12X0 


Figure 223: Payload Content, base64url-encoded 


" kty" : "RSA" » 

"kid": "hobbiton.example", 

"use": "sig", 

"n": "kNrPIBDXMU6fcCyv5i-OHQAQ-K8gsC3HJb7FYhYaw8hXbNJa-t8q01D 


KwLZgQXYV-ffWxXJv5GGrlZEAGU521fMEegTDzYTrROQS3tepgKF jMGg6Il 
y6fk11Z2Nsx2gEonsn1ShfzA9GIJwRTmtKPbk1s-hwx1IU5AT-AlelNgBg 
cF2vE5W25_SGGBoaROVAUYxqETDggM1z5cKV4Z3DZ8-1h4oVB0O7bkac6 
LOdHpJUUySH_Er20DXx30Kyi97PciXKTS-OKXnmm8ivyRCmux22ZoPUi 
nd2BKC50iG4MwAlhaL2Z2k8CsRdfy-7dg7z41Rp6D0OZeEvtaUp4bX4aK 


raL4rTfw", 
" e " : " AQAB " 7 
"d": "ZLe_TIxpE9-W_n2VBa-HWvuYPtjvxwVXC1JFOpJsdea8g9RMx34qEO 


EtnoYc2un3CZ3LtJi-mju5RAT8YSc76YJds32VwOUiO8mMBeG6-iOnvg 
ObobNx7K57-xjTJZU72EjOr9kB7z6ZKwDDq7HFyCDhUECYCcHFVCc7iL 6 
TibVhAhOFONWlqlJgEgwVYdOrybNGKifdnpEbwyHoMwY6HMlqvnEFgP7 
iZ0YzHUT535x6jj4VKcdA7ZduFkhUauysySEW7mxZM6fjlvdjJIy9LD1 
fIz30Xv4ckoqhKF5GONU6tNmMmNgAD6gIViyElelPrIxlltBhCI14bRW 
-ZzrpHgAQ", 

"p": "yKWYONIAqwMROQ1gIBOdT1INIcbDNUUS2Rh-pBaxD_mIkweMt 4Mg-0-B 
2iSYvMrs8horhonV7vxCQagcBAATGW-hAafUehWjxWSH-3KccRM8toL4 
eO0q7M-idRDOBXSoe722-CV2x ZCY3RP8qp642R13WgXqGDIMAMDUKZS j 
cY9-c", 

"q": "uND4015V30KDzf8vFJw589p1v1Q0VO3NEilrinRUPHkkxaAzDzccGgr 
WMWpGxGFFnNL3w5CqPLeU76-51VYOq0HwYVlOhVXOHr7sgaGu-483Ad3 
ENCL23FrOnF45m7 200AStJDeA49MeLTTOKrSIBl SKvqpYvfSPTCzPcZ 
kh9Kk", 

"dp": "jmTInEoq2qqa8ouaymjhJSCnsveUXnMQC2gAneQJROkFqQu-zV2PKP 
KNbPVKVyiF5b2-L3tM30W2d2iNDyRUWX1T7V510KwPTABSTOnTqAmYCh 
Gi8kxXXdlhcrtSvxXldBakC6saxwI_TzGGY2MVXzc2ZnCvCXHV4qjSxOrf 
P3pHFU", 

"dq": "R9FUvU880VzEkTkX13-5-WusE4DjHmndeZIlu3rifBdfLpq P-iWP 
BbGaq9wzQlc-J7SzCdJqkEJDv5yd2C7rnZ6kpzwBh nmL8zscAklqsun 
nt9CJGAYz7-sGWylJGShFazfP52ThB4rlCJOYuEaOMrIzpY77 oLAhpm 
DAOhLk", 

"qi": "S8tC7ZknW6hPITkjcwttOOPLVmRfwirRlFAViuDb8NW9CrV 7F20q 
UZCqmzHTYAumwGFHIl1WVRep7anleWaJjxC 1b3fq al4gH3Pe-EKiHg6 
IMazuRtZLUROcThrExDbF5dYbsciDnfRUWLErZ4N1Be0bnxYuPqxwKd9 
QZwMoO" 


Figure 224: RSA 2048-Bit Private Key, in JWK Format 
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6.2. Signing Operation 
The following is generated to complete the signing operation: 
o JWS Protected Header; this example uses the header from 


Figure 225, encoded using base64url [RFC4648] to produce 
Figure 226. 


"alg": "PS256", 
" typ " : " JWT " 
Figure 225: JWS Protected Header JSON 
eyJhbGciOiJQUzIl1NilsInR5cCI6IkpXVCJ9 
Figure 226: JWS Protected Header, base64url-encoded 
Performing the signature operation over the combined JWS Protected 
Header (Figure 226) and payload content (Figure 222) produces the 
following signature: 
dPpMqwRZxFYilUfcDAaf8M99o07kwUWtiXZ-ByvVuJih4MhJ aZqciprz0OWaIA 
kIvnlqskChirjKvY9ESZNUCPAJjvfyPS-nqjUxYOA5ztWOyFk2cZNIPXjcJXSOQ 
wXPO9tEe-v4VSqgDOaKHqPxYog4N6CzllKphlU1sYDSI67 bLL7elg vkjfMp5 
.W515LuUYGMeh6hxQIaIUXf9EwV2JmvTMuZ-vBOWyOSniylEFo72CRTvmtrIf5 
AROoO5MNliY3KtUxeP-SOmD-LEYwW9SlkohYzMVAZDDOrVbv7KVRHpeYNaK75KE 
OqdCEEkS rskZS-Ott nlegTWhlmEYaA 
Figure 227: JWS Signature, baseó64url-encoded 
6.3. Signing Output 

The following compose the resulting JWS object: 
o JWS Protected Header (Figure 226) 


o Payload content (Figure 223) 


o Signature (Figure 227) 
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The resulting JWS object using the JWS Compact Serialization (which 
is the plaintext input to the following encryption operation): 
eyJhbGciOiJQUzI1NiIsInR5cCIGIkpXVCJ9 


eyJpc3MiOiJob2JiaXRvbi5leGFtcGxlliwiZXhwIljoxMzAwODE5MzgwLCJodH 
RwOi8vZXhhbXBsZ55jb20vaXNfcm9vdCI6dHJ12X0 


dPpMqwRZxFYilUfCcDAaf8M9907kwUWtiXZ-ByvVuJih4MhJ aZqciprz0OWaIlA 
kIvnlqskChirjKvY9ESZNUCPAJjvfyPS-nqjUxYOA5ztWOyFk2cZNIPXjcJXSOQ 
wXPO9tEe-v4VSqgDOaKHqPxYog4N6CzllKphlU1sYDSI67 bLL7elg vkjfMp5 
.W515LuUYGMeh6hxQIaIUXf9EwV2JmvTMuZ-vBOWyOSniylEFo72CRTvmtrIf5 
AROO5MNliY3KtUxeP-SOmD-LEYwW9SlkohYzMVAZDDOrVbv7KVRHpeYNaK75KE 
OqdCEEkS rskZS-Ott nlegTWhlmEYaA 
Figure 228: JWS Compact Serialization 

6.4. Encryption Input Factors 
The following are supplied before beginning the encryption process: 
o Plaintext content; this example uses the content from Figure 228. 
o RSA public key; this example uses the key from Figure 84. 
o "alg" parameter of "RSA-OAEP". 
o "enc" parameter of "A128GCM". 

6.5. Encryption Generated Factors 


The following are generated before encrypting: 


o AES symmetric key as the Content Encryption Key (CEK); this 
example uses the key from Figure 229. 


o Initialization Vector; this example uses the Initialization Vector 
from Figure 230. 


ORHSNYwN-6-2Q0BGsYTZLSQ 
Figure 229: Content Encryption Key, base64url-encoded 
GbX1i9kXz0sxXPmA 


Figure 230: Initialization Vector, base64url-encoded 
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6.6. Encrypting the Key 


Performing the key encryption operation over the CEK (Figure 229) 
with the RSA key (Figure 84) produces the following Encrypted Key: 


a0JHRoITfpX4qRewImj1Stn8m3CPxBVlueY1VhjurCyrBg3I7YhCRY3phDOOS4 
E7rXbr2Fn6NyOq-A-gqTOFXqNjVOGrG-bil3mwy7RoYhjTkBEC6P7sMYMXXx4g 
zMedpiJHQVeyI-zkZV7A9matpgevAJWrXzOUysYGTtwoSN6gtUVtlLaivjvb21 
O0ul4YxSHV-ByKlkyeetRp fuYJxHoKLOL9PA424sKx2WGYbAzsBIPFA4ssl e5I 
R7nany-25 UmC2urosNkoFz9cQ82MypZP8gqbOJyPN-Fpp4Z-506yV64x6yzDU 
F 5JCIdl-QOv6H5dMVIY7qleKpXcV11WO 2FefEBqXxXvIljLeZivjNkzogCq3-I 
apSjVEnMjBxjpYLT8muaawolyylXXMuinIpNcOY3n4AKKrXLrCcteX85m4AIIHMZ 
a38slHpr56fPPseMA-Jltmt-a9iEDtOzhtxz8AXy9tsCAZV2XBWNG8c3kJusAa 
mBKOYwfk7JhLRDgOnJjlJLhn7TIA4UxDp9dCmUXEN6zOv23W15qJIEXNJtqnblp 
ymooeWAHCT4e OwbimlgO0AEpTHUdA2iiLNs9WTX H TXuPC8yDDhilsmxS X x 
pkIHkilHWDOLxO3BpqDTivpKkBYwqP2UZkcxqX2Fo GnVrNwlK7Lgxw6FSQvDO 
0 


Figure 231: Encrypted Key, base64url-encoded 


6.7.  Encrypting the Content 


The following is generated before encrypting the Plaintext: 


o JWE Protected Header; this example uses the header from 
Figure 232, encoded using baseó64url [RFC4648] to produce 


Figure 233. 
{ 
"alg": "RSA-OAEP", 
"ety" : "JWT", 
"enc": "A128GCM" 


Figure 232: JWE Protected Header JSON 
eyJhbGciOiJSUOEtTOFFUCIsImNOeSI6IkpXVCIsImVuYyIOIkExMjhHQOO0ifQ 


Figure 233: JWE Protected Header, base64url-encoded 
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Performing the content encryption operation over the Plaintext 
(Figure 228) with the following: 

o CEK (Figure 229); 
o Initialization Vector (Figure 230); and 
o JWE Protected Header (Figure 233) as authenticated data 
produces the following: 
o Ciphertext from Figure 234. 
o Authentication Tag from Figure 235. 
SZI4IvKHmwpazl pJOXX3mHvlANnOUAWf9-utWYUCKrBNgCe2O0FMf66cS8J8k2Q 
kxaQD3 R60MGE9o0fomwtky3GFxMeGRjtpMt9OAvVLsAXBO UTCBGyBg3C2bWLX 
qZlfJAAoJRUPRk-BimYZ2Y81zVBuIhc7HsQePCpu33SzMsFHjn4lP idrJz glZ 
TNgKDt 8zdnUPauKTKDNOH1DD4fuzvDYfDIAfqGPyL5sVRwbixpxXdGokEs zM- 9C 
hMPqWi1QNhzuX Zul3bvrJwr7nuGZs4cUScY3n8yE3AHCLurgls-A9mz1X38xEa 
ulV1814Fg9tLejdkAuQZjPbqeHOBJe4IwGD5Ee0dO-Mtz4NnhkIWx-YKBb Xo2 
zI3O0 1sYjKUuis7yWW-HTr vqvFt0bj7WJf2vzBOTZ3dvsoGaTvPH2dyWwumUr 
lx4gmPUzBdwTO6ubfYSDUEEz5pyOd OtWeUSYcCYBKD-aM7tXg26qJo21gYjLf 
hn9zy-Wl19sOCZGuzgFjPhawXHpvnj t-0 ES96kogjJLxS11MU9Y5XmnwZMyNc 
9EIwnogsCg-hVuvzyPOsIruktm194 SL1xgMl17003phcTMxtlMizR88NKU1WkB 
SiXMCjylNoue7MD-ShDp5dmM 
Figure 234: Ciphertext, base64url-encoded 

KnIKEhN8U-3C9s4gtSpjSw 

Figure 235: Authentication Tag, base64url-encoded 

6.8. Encryption Output 
The following compose the resulting JWE object: 

o JWE Protected Header (Figure 233) 
o Encrypted Key (Figure 231) 
o Initialization Vector (Figure 230) 


o Ciphertext (Figure 234) 


o Authentication Tag (Figure 235) 
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The resulting JWE object using the JWE Compact Serialization: 
eyJhbGci0iJSUO0EtTOFFUCIsIMmNO0esSI6IkpXVCIsImVuYyI6IkExMjhHQ00ifQ 


a0JHRoITfpX4qRewImjlStn8m3CPxBV1lueYlVhjurCyrBg3I7YhCRYjphDOOS4 
E7rXbr2Fn6NyOq-A-gqTOFXqNjVOGrG-bil3mwy7RoYhjTkBEC6P7sMYMXXx4g 
zMedpiJHQVeyI-zkZV7A9matpgevAJWrXzOUysYGTtwoSN6gtUVtlLaivjvb21 
O0ul4YxSHV-ByKlkyeetRp fuYJxHoKLOL9PA424sKx2WGYbAzsBIPFAssl e5I 
R7nany-25 UmC2urosNkoFz9cQ82MypZP8gqbOJyPN-Fpp4Z-506yV64x6yzDU 
F 5JCIdl-Qv6H5dMVIY7qleKpXcV11WO 2FefEBqXxXvIljLeZivjNkzogCq3-I1 
apSjVEnMjBxjpYLT8muaawolyylXXMuinIpNcOY3n4AKKrXLrCcteX85m4AIIHMZ 
a38slHpr56fPPseMA-Jltmt-a9iEDtOzhtxz8AXy9tsCAZV2XBWNG8c3kJusAa 
mBKOYwfk7JhLRDgOnJjlJLhn7TIA4UxDp9dCmUXEN6zOv23W15qJIEXNJtqnblp 
ymooeWAHCT4e OwbimlgO0AEpTHUdA2iiLNs9WTX H TXuPC8yDDhilsmxS X x 
pkIHkilHWDOLxO3BpqDTivpKkBYwqP2UZkcxqX2Fo GnVrNwlK7Lgxw6FSQvDO 
0 


GbX1i9kXz0sxXPmA 


SZI4IvKHmwpazl pJOXX3mHvlANnOUAWf9-utWYUCKrBNgCe2O0FMf66cS8J8k2Q 
kxaQD3 R60MGE9ofomwtky3GFxMeGRjtpMt9OAvVLsAXBO UTCBGyBg3C2bWLX 
qZlfJAAoJRUPRk-BimYZ2Y81zVBuIhc7HsQePCpu33SzMsFHjn4lP idrJz glZ 
TNgKDt 8zdnUPauKTKDNOH1DD4fuzvDYfDIAfqGPyL5sVRwbixpxXdGokEs zM- 9C 
hMPqWlONhzuX Zul3bvrJwr7nuGZs4cUScY3n8yE3AHCLurgls-A9mz1X38xEa 
ulV1814Fg9tLejdkAuQZjPbqeHOBJe4IwGD5Ee0dO-Mtz4NnhkIWx-YKBb Xo2 
zI3O0 1sYjKUuis7yWW-HTr vqvFt0bj7WJf2vzBOTZ3dvsoGaTvPH2dyWwumUr 
lx4gmPUzBdwTO6ubfYSDUEEzb5pyO0d OtWeUSYcCYBKD-aM7tXg26qJo21gYjLf 
hn9zy-Wl19sOCZGuzgFjPhawXHpvnj t-0 ES96kogjJLxS11MU9Y5XmnwZMyNc 
9EIwnogsCg-hVuvzyPOsIruktm194 SL1xgMl17003phcTMxtlMizR88NKU1WkB 
SiXMCjylNoue7MD-ShDp5dmM 


KnIKEhN8U-3C9s4gtSpjSw 


Figure 236: JWE Compact Serialization 
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The resulting JWE object using the general JWE JSON Serialization: 


{ 
"recipients": [ 
{ 

"encrypted key": "aQJHRoITfpx4qRewImj1Stn8m3CPxBVlueY1Vh 
jurCyrBg3I7YhCRYjphDOOSA4E7rXbr2Fn6NyOq-A-gqTOFXqNjVO 
GrG-bil3mwy7RoYhjTkBEC6P7sMYMXXx4gzMedpiJHOQVeyI-zkZV 
7A9matpgevAJWrXzOUysYGTtwoSN6gtUVtlLaivjvb2100ul4YxS 
HV-ByKlkyeetRp_fuYJxHoKLQL9P424sKx2WGYb4zsBIPF4ssl_e 
5IR7nany-25_UmC2urosNkoFz9cQ82MypZP 8gqbQJUyPN-Fpp4Z-5 
o6yV64x6yzDUF 5JCIdl-Qv6H5dMVIY7qleKpXcV11WO 2FefEBq 
XxXvI1jLeZivjNkzogCq3-IapSjVFnMjBxjpYLT8muaawolyylXXM 
uinIpNcoY3n4KKrXLrCcteX85m4IIHMZa38s1Hpr56fPPseMA-J1 
tmt-a9iEDtOzhtxz8AXy9tsCAZV2XBWNG8c3kJusAamBKOYwfk7J 
hLRDgOnJjlJLhn7TIAUxDp9dCmUXEN6z0v23W15qJIEXNJtqnblp 
ymooeWAHCT4e OwbimlgO0AEpTHUdA2iiLNs9WTX H TXuPC8yDDh 
ilsmxS X xpkIHkilHWDOLxO03BpqDTivpKkBYwqP2UZkcxqX2Fo 
GnVrNwlK7Lgxw6FSQvDOO" 

) 

l, 

"protected": "eyJhbGciOiJSUOEtTOFFUCIsImNOeSI6IkpXVCIsImVuYy 
I6IkExMjhHQOO0ifQ", 

"iv": "GbXli9kXzO0sxXPmA", 

"ciphertext": "SZIAIvKHmwpazl pJOXX3mHv1ANnOUAWf9-utWYUCKrBN 
gCe20FMf66cSJ8k2Q0kxaQD3 R60MGE9o0fomwtky3GFxMeGRjtpMt9O0Av 
VLSAXBO_UTCBGyBg3C2bWLXqZ1fJAAOJRUPRk-BimYZY81zVBulhc7Hs 
OePCpu33SzMsFHjn4lP idrJz glZTNgKDt8zdnUPauKTKDNOHI1DD4fu 
ZzvDYfDIAfqGPyL5sVRwbiXpXdGokEszM-9ChMPqWl1ONhzuX Zul3bvrJ 
wr/7nuGZs4cUScY3n8yE3AHCLurgls-A9mz1X38xEaulV1814Fg9tLejd 
kAuQZjPbqgeHOBJe41wGD5Ee0dQ-Mtz4NnhkIWx-YKBb Xo2zI3Q 1sYj 
KUuis7yWW-HTr vqvFt0bj7WJf2vzBOTZ3dvsoGaTvPH2dyWwumUrlx4 
gmPUzBdwTO6ubfYSDUEEz5pyO0d OtWeUSYcCYBKD-aM7tXg26qJo21gY 
jLfhn9zy-Wl19sOCZGuzgFjPhawXHpvnj t-0 ES96kogjJLxS1IMU9Y5 
XmnwZMyNc9EIwnogsCg-hVuvzyPOsIruktm194 SL1xgM17003phcTMx 
t1MizR88NKU1WkBsiXMC3jy1Noue7MD-ShDp5dmM", 

"tag": "KnIKEhN8U-3C9s4gtSpjSw" 


Figure 237: General JWE JSON Serialization 
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The resulting JWE object using the flattened JWE JSON Serialization: 


{ 

"encrypted key": "aQJHRoITfpxX4qRewImj1Stn8m3CPxBVlueY1Vhjurc 
yrBg3I7YhCRYjphDOOSA4E7rXbr2Fn6NyOQq-A-gqTOFXqNjVOGrG-bi13 
mwy7RoYhjTkBEC6P7sMYMXXx4gzMedpiJHQVeyI-zkZV7A9matpgevAJ 
WrXzOUysYGTtwoSN6gtUVtlLaivjvb2100ul4YxSHV-ByKlkyeetRp f 
uYJxHoKLOL9PA424sKx2WGYb4AzsBIPFAssl e5IR7nany-25 UmC2uros 
NkoFz9cQ82MypZP8gqbQJyPN-Fpp4Z-506yV64x6yzDUF 5JCIdl-OQv6 
H5dMVIY7qleKpXcV11WO 2FefEBqXxXvIjLeZivjNkzogCq3-IapSjVF 
nMjBxjpYLT8muaawolyylXXMuinIpNcOY3n4KKrXLrCcteX85m41IIHMZ 
a38slHpr56fPPseMA-Jltmt-a9iEDtOzhtxz8AXy9tsCAZV2XBWNG8c3 
kJusAamBKOYwfk7JhLRDgOnJjlJLhn7TIA4UxDp9dCmUXEN6z0v23W15q 
JIEXNJtqnblpymooeWAHCT4e Owbiml1gO0AEpTHUdA2iiLNs9WTX H TX 
uPC8yDDhilsmxS X xpkIHkilHWDOLx03BpqDTivpKkBYwqP2UZkcxqx 
2Fo GnVrNwlK7Lgxw6FSQvDOO", 

"protected": "eyJhbGciOiJSUOEtTOFFUCIsImNOeSI6IkpXVCIsImVuYy 
I6IkExMjhHQOO0ifQ", 

"iv": "GbXli9kXzO0sxXPmA", 

"ciphertext": "SZIA4IvKHmwpazl pJOXX3mHv1ANnOUAWf9-utWYUCKrBN 
gCe20FMf66cSJ8k20kxaQD3_R60MGE90fomwtky3GFxMeGRItpMt 90Av 
VLSAXBO_UTCBGyBg3C2bWLXqZ1fJAAOJRUPRk-BimYZY81zVBulhc7Hs 
OePCpu33SzMsFHjn4lP idrJz glZTNgKDt8zdnUPauKTKDNOHI1DD4fu 
ZvDYfDIAfqGPyL5sVRwbiXpXdGokEszM-9ChMPqwWl1QNhzuX Zul3bvrJ 
wr/nuGZs4cUScY3n8yE3AHCLurgls-A9mz1X38xEaulV1814Fg9tLejd 
kAuQZjPbqgeHOBJe41wGD5EeO0dQ-Mtz4NnhkIWx-YKBb Xo2zI13Q 1sYj 
KUuis7yWW-HTr vqvFt0bj7WJf2vzBOTZ3dvsoGaTvPH2dyWwumUrlx4 
gmPUzBdwTO6ubfYSDUEEz5pyO0d OtWeUSYcCYBKD-aM7tXg26qJo21gY 
jLfhn9zy-Wl19sOCZGuzgFjPhawXHpvnj t-0 ES96kogjJLxS11IMU9Y5 
XmnwZMyNc9EIwnogsCg-hVuvzyPOsIruktm194 SL1xgM17003phcTMx 
t1MizR88NKU1WkBsiXMC3jy1Noue7MD-ShDp5dmM", 

"tag": "KnIKEhN8U-3C9s4gtSpjSw" 


Figure 238: Flattened JWE JSON Serialization 
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7. 


8. 


8. 


Security Considerations 


This document is designed to provide examples for developers to use 
in checking their implementations. As such, it does not follow some 
of the security considerations and recommendations in the core 
documents (i.e., [JWS], [JWE], [JWK], and [JWA]). For instance: 


o it does not always generate a new CEK value for every encrypted 
example; 


o it does not always generate a new Initialization Vector (IV) value 
for every encrypted example; and 


o it does not always generate a new ephemeral key for every 
ephemeral key example. 


For each example, data that is expected to be generated for each 
signing or encryption operation is isolated to sections titled 
"Generated Factors". 
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